CVE-2025-64123 Overview
CVE-2025-64123 is an Unintended Proxy or Intermediary vulnerability [CWE-441] affecting the Nuvation Energy Multi-Stack Controller (MSC). The flaw allows network boundary bridging, enabling a remote attacker to relay traffic through the device and reach networks that should be segmented from the public interface. All releases through and including 2.5.1 are affected. The issue impacts the nPlatform software and multiple MSC hardware models deployed in battery energy storage systems. Attackers do not need authentication or user interaction to exploit the device as an unintended proxy.
Critical Impact
A remote, unauthenticated attacker can pivot through the Multi-Stack Controller to bridge segmented operational technology (OT) networks, compromising the confidentiality, integrity, and availability of downstream systems.
Affected Products
- Nuvation Energy nPlatform (through release 2.5.1)
- Nuvation Energy NUVMSC3-04S-C, NUVMSC3-08S-C Multi-Stack Controllers
- Nuvation Energy NUVMSC3-12S-C, NUVMSC3-16S-C Multi-Stack Controllers
Discovery Timeline
- 2026-01-02 - CVE-2025-64123 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2025-64123
Vulnerability Analysis
The Multi-Stack Controller orchestrates communication between battery stacks, site controllers, and operator interfaces. The device exposes network services that forward or relay traffic without enforcing boundary controls. An attacker reaching the controller's network interface can leverage it as an intermediary to send packets into network segments that should remain isolated from external access.
Network boundary bridging defeats the segmentation model commonly used in energy storage deployments, where operator networks, control networks, and field device networks are intentionally separated. The downstream impact extends to subsequent systems rather than the controller itself, which is reflected in the subsequent system confidentiality, integrity, and availability metrics being rated high.
Root Cause
The root cause is classified as [CWE-441]: Unintended Proxy or Intermediary, also called "Confused Deputy." The controller forwards requests on behalf of an external client without validating whether the source is authorized to reach the destination network. The trust placed in the controller by adjacent segmented networks is abused when it relays attacker-controlled traffic.
Attack Vector
Exploitation requires only network access to the controller's exposed interface. No credentials, privileges, or user interaction are required. The attacker crafts traffic targeted at internal resources and routes it through the controller, which forwards the requests into protected segments. No public proof-of-concept code is available, and the vulnerability is not listed in CISA KEV. Technical details are referenced in the Dragos Security Advisory.
Detection Methods for CVE-2025-64123
Indicators of Compromise
- Unexpected outbound connections from the MSC to hosts on segmented control or field networks that do not correlate with normal energy management workflows.
- Inbound traffic from untrusted networks terminating at the MSC followed by near-simultaneous traffic to internal subnets.
- Protocol anomalies where the MSC proxies non-standard ports or protocols toward downstream devices.
Detection Strategies
- Inspect network flow logs (NetFlow, IPFIX, or zeek conn logs) for the MSC acting as a relay between external and internal segments.
- Deploy OT-aware intrusion detection rules that alert on cross-segment traffic originating at the MSC outside scheduled operational windows.
- Correlate MSC interface traffic with firewall logs to identify sessions that bypass intended segmentation policies.
Monitoring Recommendations
- Forward MSC and adjacent firewall logs to a centralized SIEM and alert on policy violations involving the controller's IP address.
- Baseline normal east-west traffic patterns for the controller and trigger alerts on deviations in destination subnets or protocols.
- Track authentication and configuration changes on the MSC management plane for unauthorized access attempts.
How to Mitigate CVE-2025-64123
Immediate Actions Required
- Restrict network access to the MSC management and data interfaces using firewall rules that permit only authorized engineering and SCADA hosts.
- Remove any direct exposure of the MSC to the internet or untrusted enterprise networks.
- Audit existing firewall and ACL configurations to confirm that the controller cannot route traffic between separated security zones.
Patch Information
The vulnerability affects Multi-Stack Controller releases through and including 2.5.1. Operators should consult Nuvation Energy and the Dragos Security Advisory for the latest fixed release and apply firmware updates following established change-management procedures for OT environments.
Workarounds
- Place the MSC behind a dedicated industrial firewall or data diode that enforces unidirectional or strictly filtered communication between zones.
- Disable any unused network services and management protocols on the controller to reduce relay opportunities.
- Implement network segmentation following IEC 62443 zone and conduit principles so that the MSC cannot reach assets outside its required scope.
# Configuration example: restrict MSC access with iptables on an upstream gateway
iptables -A FORWARD -s <trusted_scada_subnet> -d <msc_ip> -j ACCEPT
iptables -A FORWARD -d <msc_ip> -j DROP
iptables -A FORWARD -s <msc_ip> -d <field_network_subnet> -p tcp --dport <allowed_port> -j ACCEPT
iptables -A FORWARD -s <msc_ip> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
