Cyber Resilience

CVE-2025-64123

High

Published: 02 January 2026

Published
02 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 7.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 19.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-64123 is a high-severity Confused Deputy (CWE-441) vulnerability in Nuvationenergy Nplatform. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Boundary Bridging (T1599); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-64123 is an Unintended Proxy or Intermediary vulnerability (CWE-441) in the Nuvation Energy Multi-Stack Controller (MSC) that allows Network Boundary Bridging. This issue affects the MSC through and including release 2.5.1. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-02.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, enabling attackers to bridge network boundaries in affected MSC deployments.

Advisories related to this vulnerability are available at https://www.dragos.com/community/advisories/CVE-2025-64119.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1599 Network Boundary Bridging Defense Impairment
Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation.
Why these techniques?

Explicitly described as enabling Network Boundary Bridging via unintended proxy/intermediary behavior (CWE-441), directly matching T1599.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64121Same product: Nuvationenergy Nplatform
CVE-2025-64124Same product: Nuvationenergy Nplatform
CVE-2025-64120Same product: Nuvationenergy Nplatform
CVE-2025-48646Shared CWE-441
CVE-2025-48570Shared CWE-441
CVE-2026-36608Shared CWE-441
CVE-2023-31313Shared CWE-441
CVE-2026-0021Shared CWE-441
CVE-2026-0098Shared CWE-441
CVE-2026-0107Shared CWE-441

Affected Assets

nuvationenergy
nplatform
≤ 2.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Boundary protection monitors and controls communications at network boundaries, directly preventing the unintended proxying and network boundary bridging allowed by CVE-2025-64123 in the MSC.

prevent

Information flow enforcement restricts unauthorized data flows between networks, mitigating the proxy vulnerability that enables boundary bridging in affected MSC deployments.

prevent

Flaw remediation requires timely patching of the specific unintended proxy vulnerability in Nuvation Energy MSC through release 2.5.1, eliminating the root cause of network boundary bridging.

References