CVE-2025-47872

Summary

The public-facing product registration endpoint server responds differently depending on whether the S/N is valid and unregistered, valid but already registered, or does not exist in the database. Combined with the fact that serial numbers are sequentially assigned, this allows an attacker to gain information on the product registration status of different S/Ns.

Affected Software

VendorProductVersion RangeStatus
EG4 ElectronicsEG4 12kPVall versionsaffected
EG4 ElectronicsEG4 18kPVall versionsaffected
EG4 ElectronicsEG4 Flex 21all versionsaffected
EG4 ElectronicsEG4 Flex 18all versionsaffected
EG4 ElectronicsEG4 6000XPall versionsaffected
EG4 ElectronicsEG4 12000XPall versionsaffected
EG4 ElectronicsEG4 GridBossall versionsaffected

Weaknesses

  • CWE-203: CWE-203

Workarounds

EG4 has acknowledged the vulnerabilities and is actively working on a fix, including new hardware expected to release by October 15, 2025. Until then, EG4 will actively monitor all installed systems and work with affected users on a case-by-case basis if anomalies are observed.

For more information, contact EG4. https://eg4electronics.com/contact/

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References