CVE-2025-47872
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Summary
The public-facing product registration endpoint server responds differently depending on whether the S/N is valid and unregistered, valid but already registered, or does not exist in the database. Combined with the fact that serial numbers are sequentially assigned, this allows an attacker to gain information on the product registration status of different S/Ns.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| EG4 Electronics | EG4 12kPV | all versions | affected |
| EG4 Electronics | EG4 18kPV | all versions | affected |
| EG4 Electronics | EG4 Flex 21 | all versions | affected |
| EG4 Electronics | EG4 Flex 18 | all versions | affected |
| EG4 Electronics | EG4 6000XP | all versions | affected |
| EG4 Electronics | EG4 12000XP | all versions | affected |
| EG4 Electronics | EG4 GridBoss | all versions | affected |
Weaknesses
- CWE-203: CWE-203
Workarounds
EG4 has acknowledged the vulnerabilities and is actively working on a fix, including new hardware expected to release by October 15, 2025. Until then, EG4 will actively monitor all installed systems and work with affected users on a case-by-case basis if anomalies are observed.
For more information, contact EG4. https://eg4electronics.com/contact/
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.