Nuvation Battery Storage Systems Vulnerabilities: CVE-2025-64119 Last Updated: December 19, 2025 Summary Dragos evaluated Nuvation Energy's Battery Management System (BMS) and Multi-Stack Controller (MSC) devices and identified multiple security vulnerabilities. Key Vulnerabilities CVE-2025-64119 - CWE-603: Client-Side Authentication - CVSSv3.1: 9.9 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVE-2025-64120 - CWE-78: OS Command Injection - CVSSv3.1: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVE-2025-64121 - CWE-288: Authentication Bypass Using an Alternate Path or Channel - CVSSv3.1: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVE-2025-64122 - Private Key Stored on Device - CVSSv3.1: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVE-2025-64124 - CWE-78: OS Command Injection - CVSSv3.1: 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) CVE-2025-64123 - CWE-441: Unintended Proxy or Intermediary - CVSSv3.1: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVE-2025-64125 - CWE-923: Improper Restriction of Communication Channel to Intended Endpoints - CVSSv3.1: 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L) Impact and Mitigation Users are urged to update their MSC to nPlatform 2.5.1 / MSC 22.4.0. Enable authentication on the MSC and set a strong password. Restrict access to the nCloud service if not necessary. Note CVE-2025-64125 is essentially impossible to score correctly with CVSS, and it could be chained with other MSC vulnerabilities to exploit connected appliances.