CVE-2025-64119

Nuvation Energy BMS Client-side Authentication

CVSS 9.3 CRITICALEPSS 0.4%CWE-603

In short

Nuvation Battery Management System has a flaw that allows attackers to bypass authentication and gain unauthorized access to the system without valid credentials. This is critical because it exposes battery management controls to anyone who can reach the application.

Technical detail

CWE-603 (client-side authentication) flaw in Nuvation BMS up to version 2.3.9 permits authentication bypass, likely due to insufficient server-side validation of client-side security controls. An attacker can access protected functionality and resources without providing valid credentials, compromising confidentiality and integrity of the battery management system.

Summary generated and translated by AI from the official description.

A vulnerability in Nuvation Battery Management System allows Authentication Bypass.This issue affects Battery Management System: through 2.3.9.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:P/AU:Y

Affected products

Nuvation Energy · Battery Management System

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.dragos.com/community/advisories/CVE-2025-64119