Cyber Resilience

CVE-2025-25281

High

Published: 13 February 2025

Published
13 February 2025
Modified
10 April 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 56.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25281 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Outbackpower Mojave Inverter Oghi8048A Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-25281 is an information disclosure vulnerability (CWE-200) published on 2025-02-13, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). It allows an attacker to modify the URL of an affected web component to discover sensitive information about the target network. The vulnerability is linked to Outback Power products, as referenced in the vendor's site and a CISA ICS advisory.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation results in high-impact confidentiality loss, enabling discovery of sensitive network details without affecting integrity or availability.

Mitigation guidance is available in CISA ICS Advisory ICSA-25-044-17 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17. Additional support can be obtained by contacting Outback Power at https://old.outbackpower.com/about-outback/contact/contact-us.

EU & UK References

Vulnerability details

An attacker may modify the URL to discover sensitive information about the target network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1016 System Network Configuration Discovery Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
Why these techniques?

Unauthenticated remote info disclosure via URL manipulation in public-facing web component directly maps to T1190 exploitation; resulting network details disclosure enables T1016 for configuration discovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24861Same product: Outbackpower Mojave Inverter Oghi8048A
CVE-2025-26473Same product: Outbackpower Mojave Inverter Oghi8048A
CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2025-22828Shared CWE-200

Affected Assets

outbackpower
mojave inverter oghi8048a firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates protections for public web servers to prevent unauthorized access and disclosure of sensitive information, directly countering URL modification exploits in web components.

prevent

Requires filtering of information output from web applications to non-privileged users, preventing leakage of sensitive network details in responses to tampered URLs.

prevent

Enforces validation of inputs such as URL parameters to block attacker manipulation that leads to unauthorized disclosure of target network information.

References