CVE-2025-53520

Summary

The affected product allows firmware updates to be downloaded from EG4's website, transferred via USB dongles, or installed through EG4's Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection.

Affected Software

VendorProductVersion RangeStatus
EG4 ElectronicsEG4 12kPVall versionsaffected
EG4 ElectronicsEG4 18kPVall versionsaffected
EG4 ElectronicsEG4 Flex 21all versionsaffected
EG4 ElectronicsEG4 Flex 18all versionsaffected
EG4 ElectronicsEG4 6000XPall versionsaffected
EG4 ElectronicsEG4 12000XPall versionsaffected
EG4 ElectronicsEG4 GridBossall versionsaffected

Weaknesses

  • CWE-494: CWE-494

Workarounds

EG4 has acknowledged the vulnerabilities and is actively working on a fix, including new hardware expected to release by October 15, 2025. Until then, EG4 will actively monitor all installed systems and work with affected users on a case-by-case basis if anomalies are observed.

For more information, contact EG4. https://eg4electronics.com/contact/

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References