Cyber Resilience

CVE-2025-64121

Critical

Published: 02 January 2026

Published
02 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 27.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-64121 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Nuvationenergy Nplatform. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-64121 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Nuvation Energy Multi-Stack Controller (MSC). It affects MSC versions from 2.3.8 up to but not including 2.5.1. The vulnerability enables attackers to bypass authentication mechanisms, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows authentication bypass, potentially granting unauthorized access to the MSC device and enabling full control over its functions.

A related advisory is available from Dragos at https://www.dragos.com/community/advisories/CVE-2025-64119, which may provide additional context or mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a network-accessible service (Nuvation Energy MSC), directly enabling exploitation of a public-facing application for unauthorized remote access and full control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64124Same product: Nuvationenergy Nplatform
CVE-2025-64123Same product: Nuvationenergy Nplatform
CVE-2025-64120Same product: Nuvationenergy Nplatform
CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2026-22733Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2025-50904Shared CWE-288

Affected Assets

nuvationenergy
nplatform
2.3.8 — 2.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Explicitly identifies and restricts actions permitted without identification or authentication, directly mitigating authentication bypass via alternate paths or channels.

prevent

Enforces approved access authorizations across all logical access paths, preventing unauthorized access through alternate unauthenticated channels.

prevent

Limits privileges to the minimum necessary, reducing the impact of successful authentication bypass by restricting unauthorized actions post-access.

References