Cyber Posture

CVE-2025-64124

High

Published: 03 January 2026

Published
03 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 56.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): before 2.5.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation of information inputs to neutralize special elements used in OS commands.

SI-2 Flaw Remediation good match
prevent

Ensures timely patching of the specific flaw in MSC versions before 2.5.1, preventing exploitation of the command injection vulnerability.

SI-9 Information Input Restrictions partial match
prevent

Enforces restrictions on information inputs at system interfaces, limiting opportunities for attackers to inject malicious OS commands.

Security SummaryAI

CVE-2025-64124 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Nuvation Energy's Multi-Stack Controller (MSC) software in versions before 2.5.1. Published on 2026-01-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability enables exploitation over the network by attackers with low privileges (PR:L), requiring low attack complexity and no user interaction. Successful exploitation allows arbitrary OS command injection, granting high-level impacts on confidentiality, integrity, and availability, which could result in full system compromise on the affected MSC device.

For mitigation guidance, security practitioners should consult advisories such as the Dragos community advisory at https://www.dragos.com/community/advisories/CVE-2025-64119. Updating to Multi-Stack Controller version 2.5.1 or later addresses the issue.

Details

CWE(s)
CWE-78

Affected Products

nuvationenergy
nplatform
≤ 2.5.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

OS Command Injection vulnerability in network-accessible software enables exploitation of public-facing application (T1190) for arbitrary command execution via command interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References