CVE-2025-25281
Published: 13 February 2025
Description
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
Security Summary
CVE-2025-25281 is an information disclosure vulnerability (CWE-200) published on 2025-02-13, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). It allows an attacker to modify the URL of an affected web component to discover sensitive information about the target network. The vulnerability is linked to Outback Power products, as referenced in the vendor's site and a CISA ICS advisory.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation results in high-impact confidentiality loss, enabling discovery of sensitive network details without affecting integrity or availability.
Mitigation guidance is available in CISA ICS Advisory ICSA-25-044-17 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17. Additional support can be obtained by contacting Outback Power at https://old.outbackpower.com/about-outback/contact/contact-us.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote info disclosure via URL manipulation in public-facing web component directly maps to T1190 exploitation; resulting network details disclosure enables T1016 for configuration discovery.