CVE-2025-64121
Published: 02 January 2026
Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.
Mitigating Controls (NIST 800-53 r5)AI
Explicitly identifies and restricts actions permitted without identification or authentication, directly mitigating authentication bypass via alternate paths or channels.
Enforces approved access authorizations across all logical access paths, preventing unauthorized access through alternate unauthenticated channels.
Limits privileges to the minimum necessary, reducing the impact of successful authentication bypass by restricting unauthorized actions post-access.
Security SummaryAI
CVE-2025-64121 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Nuvation Energy Multi-Stack Controller (MSC). It affects MSC versions from 2.3.8 up to but not including 2.5.1. The vulnerability enables attackers to bypass authentication mechanisms, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows authentication bypass, potentially granting unauthorized access to the MSC device and enabling full control over its functions.
A related advisory is available from Dragos at https://www.dragos.com/community/advisories/CVE-2025-64119, which may provide additional context or mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a network-accessible service (Nuvation Energy MSC), directly enabling exploitation of a public-facing application for unauthorized remote access and full control.