CVE-2025-64121 and CVE-2025-64120: Critical Authentication Bypass and Command Injection Flaws Enable Full Remote Takeover of Nuvation Energy MSC

Aegiron 8 mins0

Affected Product: Nuvation Energy Multi-Stack Controller (MSC)
Affected Versions: 2.3.8 up to but not including 2.5.1
Environment Impacted: Operational Technology (OT), Energy Storage Systems (ESS), Industrial Control Networks

These vulnerabilities can be exploited independently, but when chained together, they enable unauthenticated attackers to gain full control of the MSC and the underlying operating system.

CVE-2025-64121 – Authentication Bypass via Alternate Access Path

Vulnerability Summary

CVE ID: CVE-2025-64121
Vulnerability Type: Authentication Bypass Using Alternate Path or Channel
CWE: CWE-288
Severity: Critical

CVSS v3.1

  • Score: 9.8 / 10
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Impact: Complete compromise of confidentiality, integrity, and availability

Exploitability & Availability

  • Exploitability: Very High
  • Authentication Required: None
  • Public Proof of Concept: Not publicly released
  • Real-World Exploit Feasibility: High

This vulnerability allows attackers to bypass authentication entirely by interacting with an alternate access path that fails to enforce proper authentication checks.

Technical Root Cause

The MSC exposes multiple internal services and communication paths for management, monitoring, and integration. In vulnerable versions, at least one alternate access channel does not properly validate authentication state.

This may include:

  • Secondary API endpoints
  • Internal service ports
  • Legacy management paths
  • Debug or diagnostic interfaces

The flaw occurs because authentication checks are enforced on the primary interface but not consistently enforced across all access paths, allowing attackers to reach protected functionality without credentials.

How This Can Be Exploited

  1. An attacker scans the MSC for exposed management services.
  2. The attacker identifies an alternate interface or endpoint.
  3. Requests sent to this path are accepted without authentication.
  4. The attacker gains access to privileged management functions.

This allows:

  • Reading sensitive configuration data
  • Modifying system parameters
  • Triggering system-level actions
  • Preparing the device for further compromise

Impact

Successful exploitation enables:

  • Full administrative access without login
  • Unauthorized configuration changes
  • Exposure of credentials and secrets
  • Service disruption or shutdown
  • Preparation for follow-on attacks such as command injection

In energy storage environments, this can directly affect system safety, reliability, and regulatory compliance.

MITRE ATT&CK Mapping

Initial Access

  • T1078 – Valid Accounts (bypass context)
  • T1190 – Exploit Public-Facing Application

Privilege Escalation

  • T1068 – Exploitation for Privilege Escalation

Impact

  • T1489 – Service Stop
  • T1499 – Endpoint Denial of Service

Detection & Monitoring

Indicators of Compromise

  • Management actions performed without prior authentication events
  • Requests to non-standard management endpoints
  • Configuration changes outside approved maintenance windows

Detection Rules (Conceptual)

  • Alert on privileged actions without a valid session
  • Detect access to undocumented or legacy endpoints
  • Monitor repeated access attempts to internal services

Relevant Log Sources

  • MSC authentication logs
  • Application access logs
  • Configuration change audit logs
  • Network traffic logs (east-west traffic)

CVE-2025-64120 – OS Command Injection

Vulnerability Summary

CVE ID: CVE-2025-64120
Vulnerability Type: OS Command Injection
CWE: CWE-78
Severity: High

CVSS v3.1

  • Score: 8.8 / 10
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Impact: High impact to confidentiality, integrity, and availability

Exploitability & Availability

  • Exploitability: High
  • Public Proof of Concept: Not publicly available
  • Weaponization Risk: High

When paired with CVE-2025-64121, this vulnerability becomes remotely exploitable without credentials.

Technical Root Cause

The MSC executes operating system commands as part of its maintenance and control functions. User-supplied input is passed into shell execution contexts without sufficient sanitization or escaping.

This allows attackers to inject shell metacharacters that are interpreted by the OS instead of treated as data.

Exploitation Mechanics

  1. Attacker accesses a vulnerable function that executes system commands.
  2. Malicious input includes shell operators.
  3. The MSC executes the injected command.
  4. The attacker gains command execution on the controller OS.

Example Payload Characteristics

Common injected elements include:

  • ;
  • &&
  • ||
  • |
  • `command`
  • $(command)

Illustrative example:

parameter=value && /bin/sh -c "whoami"

Impact

  • Arbitrary command execution
  • Installation of persistent backdoors
  • Tampering with energy system logic
  • Data manipulation or destruction
  • Complete device takeover

This is especially dangerous in OT environments where safety mechanisms depend on trusted controller behavior.

MITRE ATT&CK Mapping

Execution

  • T1059 – Command and Scripting Interpreter

Persistence

  • T1547 – Boot or Logon Autostart Execution

Defense Evasion

  • T1070 – Indicator Removal on Host

Impact

  • T1485 – Data Destruction
  • T1499 – Endpoint Denial of Service

Detection & Monitoring

Indicators

  • Shell processes spawned by MSC services
  • Unexpected command execution
  • Outbound connections from the MSC

Detection Rules (Conceptual)

  • Alert on shell execution by non-interactive services
  • Detect command chaining patterns in input
  • Monitor changes to startup scripts or cron jobs

Relevant Log Sources

  • Process execution logs
  • Application logs
  • Network egress logs
  • System audit logs

Chained Attack Risk

When CVE-2025-64121 and CVE-2025-64120 are combined:

  1. Attacker bypasses authentication entirely
  2. Attacker reaches command-executing functionality
  3. Attacker gains full OS-level control remotely

This represents a complete compromise scenario with no user interaction and minimal attacker effort.

Remediation

Official Fix

Upgrade to Multi-Stack Controller (MSC) version 2.5.1 or later.

The patched version:

  • Enforces authentication across all access paths
  • Properly validates and sanitizes command input
  • Restricts execution contexts

Official Patch Link

https://nuvationenergy.com/support/software-updates

Final Risk Assessment

These vulnerabilities represent a critical threat to energy storage infrastructure. Organizations operating affected MSC versions should treat remediation as urgent and assume compromise risk until patched. Strong network segmentation and enhanced monitoring are essential compensating controls.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.