Cyber Posture

CVE-2025-64124

HighRCE

Published: 03 January 2026

Published
03 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 56.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64124 is a high-severity OS Command Injection (CWE-78) vulnerability in Nuvationenergy Nplatform. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation of information inputs to neutralize special elements used in OS commands.

SI-2 Flaw Remediation good match
prevent

Ensures timely patching of the specific flaw in MSC versions before 2.5.1, preventing exploitation of the command injection vulnerability.

SI-9 Information Input Restrictions partial match
prevent

Enforces restrictions on information inputs at system interfaces, limiting opportunities for attackers to inject malicious OS commands.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

OS Command Injection vulnerability in network-accessible software enables exploitation of public-facing application (T1190) for arbitrary command execution via command interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): before 2.5.1.

Deeper analysisAI

CVE-2025-64124 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Nuvation Energy's Multi-Stack Controller (MSC) software in versions before 2.5.1. Published on 2026-01-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability enables exploitation over the network by attackers with low privileges (PR:L), requiring low attack complexity and no user interaction. Successful exploitation allows arbitrary OS command injection, granting high-level impacts on confidentiality, integrity, and availability, which could result in full system compromise on the affected MSC device.

For mitigation guidance, security practitioners should consult advisories such as the Dragos community advisory at https://www.dragos.com/community/advisories/CVE-2025-64119. Updating to Multi-Stack Controller version 2.5.1 or later addresses the issue.

Details

CWE(s)
CWE-78

Affected Products

nuvationenergy
nplatform
≤ 2.5.1

CVEs Like This One

CVE-2025-64120Same product: Nuvationenergy Nplatform
CVE-2025-64121Same product: Nuvationenergy Nplatform
CVE-2025-64123Same product: Nuvationenergy Nplatform
CVE-2025-0680Shared CWE-78
CVE-2025-23316Shared CWE-78
CVE-2025-11900Shared CWE-78
CVE-2026-25108Shared CWE-78
CVE-2025-50197Shared CWE-78
CVE-2026-27190Shared CWE-78
CVE-2026-0980Shared CWE-78

References