Cyber Resilience

CVE-2025-64124

HighRCE

Published: 03 January 2026

Published
03 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0090 55.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-64124 is a high-severity OS Command Injection (CWE-78) vulnerability in Nuvationenergy Nplatform. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-64124 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Nuvation Energy's Multi-Stack Controller (MSC) software in versions before 2.5.1. Published on 2026-01-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability enables exploitation over the network by attackers with low privileges (PR:L), requiring low attack complexity and no user interaction. Successful exploitation allows arbitrary OS command injection, granting high-level impacts on confidentiality, integrity, and availability, which could result in full system compromise on the affected MSC device.

For mitigation guidance, security practitioners should consult advisories such as the Dragos community advisory at https://www.dragos.com/community/advisories/CVE-2025-64119. Updating to Multi-Stack Controller version 2.5.1 or later addresses the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): before 2.5.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS Command Injection vulnerability in network-accessible software enables exploitation of public-facing application (T1190) for arbitrary command execution via command interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64120Same product: Nuvationenergy Nplatform
CVE-2025-64121Same product: Nuvationenergy Nplatform
CVE-2025-64123Same product: Nuvationenergy Nplatform
CVE-2026-28470Shared CWE-78
CVE-2025-69269Shared CWE-78
CVE-2025-24971Shared CWE-78
CVE-2026-22553Shared CWE-78
CVE-2026-22901Shared CWE-78
CVE-2026-1345Shared CWE-78
CVE-2026-6349Shared CWE-78

Affected Assets

nuvationenergy
nplatform
≤ 2.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection by requiring validation of information inputs to neutralize special elements used in OS commands.

prevent

Ensures timely patching of the specific flaw in MSC versions before 2.5.1, preventing exploitation of the command injection vulnerability.

prevent

Enforces restrictions on information inputs at system interfaces, limiting opportunities for attackers to inject malicious OS commands.

References