CVE-2025-6185

Summary

Leviton AcquiSuite and Energy Monitoring Hub are susceptible to a cross-site scripting vulnerability, allowing an attacker to craft a malicious payload in URL parameters, which would execute in a client browser when accessed by a user, steal session tokens, and control the service.

Affected Software

VendorProductVersion RangeStatus
LevitonAcquiSuiteVersion A8810affected
LevitonEnergy Monitoring HubVersion A8812affected

Weaknesses

  • CWE-79: CWE-79

Workarounds

Leviton has not responded to requests to work with CISA in mitigating this vulnerability. Users of these affected products are welcome to contact Leviton's customer support https://leviton.com/support/resources/product-support for additional information.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References