Cyber Posture

CVE-2025-64123

Critical

Published: 02 January 2026

Published
02 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 23.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64123 is a critical-severity Confused Deputy (CWE-441) vulnerability in Nuvationenergy Nplatform. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Boundary Bridging (T1599); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Boundary Bridging (T1599). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-7 Boundary Protection good match
prevent

Boundary protection monitors and controls communications at network boundaries, directly preventing the unintended proxying and network boundary bridging allowed by CVE-2025-64123 in the MSC.

AC-4 Information Flow Enforcement good match
prevent

Information flow enforcement restricts unauthorized data flows between networks, mitigating the proxy vulnerability that enables boundary bridging in affected MSC deployments.

SI-2 Flaw Remediation good match
prevent

Flaw remediation requires timely patching of the specific unintended proxy vulnerability in Nuvation Energy MSC through release 2.5.1, eliminating the root cause of network boundary bridging.

MITRE ATT&CK Enterprise TechniquesAI

T1599 Network Boundary Bridging Defense Impairment
Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation.
attack.mitre.org →
Why these techniques?

Explicitly described as enabling Network Boundary Bridging via unintended proxy/intermediary behavior (CWE-441), directly matching T1599.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1.

Deeper analysisAI

CVE-2025-64123 is an Unintended Proxy or Intermediary vulnerability (CWE-441) in the Nuvation Energy Multi-Stack Controller (MSC) that allows Network Boundary Bridging. This issue affects the MSC through and including release 2.5.1. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-02.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, enabling attackers to bridge network boundaries in affected MSC deployments.

Advisories related to this vulnerability are available at https://www.dragos.com/community/advisories/CVE-2025-64119.

Details

CWE(s)
CWE-441

Affected Products

nuvationenergy
nplatform
≤ 2.5.1

CVEs Like This One

CVE-2025-64124Same product: Nuvationenergy Nplatform
CVE-2025-64121Same product: Nuvationenergy Nplatform
CVE-2025-64120Same product: Nuvationenergy Nplatform
CVE-2026-0107Shared CWE-441
CVE-2026-0008Shared CWE-441
CVE-2026-0021Shared CWE-441
CVE-2025-48646Shared CWE-441
CVE-2026-39906Shared CWE-441
CVE-2023-31313Shared CWE-441
CVE-2026-0013Shared CWE-441

References