Skip to main content

CVE-2025-46414: CWE-307 in EG4 Electronics EG4 12kPV

High
VulnerabilityCVE-2025-46414cvecve-2025-46414cwe-307
Published: Fri Aug 08 2025 (08/08/2025, 16:17:43 UTC)
Source: CVE Database V5
Vendor/Project: EG4 Electronics
Product: EG4 12kPV

Description

The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025.

AI-Powered Analysis

AILast updated: 08/08/2025, 16:48:36 UTC

Technical Analysis

CVE-2025-46414 is a high-severity vulnerability identified in the EG4 Electronics EG4 12kPV product line. The core issue stems from the product's failure to limit the number of attempts for inputting the correct PIN associated with a registered device. This lack of rate limiting or lockout mechanism enables an attacker who possesses a valid device serial number to perform brute-force attacks against the PIN authentication mechanism. The API involved in the authentication process provides explicit feedback when the correct PIN is entered, which significantly aids an attacker in confirming successful guesses. This vulnerability is classified under CWE-307, which pertains to improper restriction of excessive authentication attempts. The vulnerability affects all versions of the EG4 12kPV product prior to the patch applied on April 6, 2025, which was a server-side update. The CVSS v3.1 base score is 8.1, indicating a high severity level, with attack vector being network-based (AV:N), requiring high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk due to the ease of confirming successful brute-force attempts and the potential for unauthorized access to the device or associated systems.

Potential Impact

For European organizations utilizing the EG4 12kPV product, this vulnerability could lead to unauthorized access to critical infrastructure or operational technology systems. Given the high impact on confidentiality, integrity, and availability, exploitation could result in data breaches, manipulation or disruption of device operations, and potential cascading effects on connected systems. This is particularly concerning for sectors such as energy, manufacturing, and utilities, where EG4 Electronics products might be deployed for power management or industrial control. Unauthorized access could enable attackers to disrupt service availability, alter operational parameters, or exfiltrate sensitive operational data. The lack of authentication barriers increases the risk of automated attacks, potentially leading to widespread compromise if multiple devices are targeted. The vulnerability's network accessibility further amplifies the threat, as attackers do not require physical access or user interaction to exploit it.

Mitigation Recommendations

European organizations should ensure that all EG4 12kPV devices are updated with the server-side patch released on April 6, 2025, which addresses the brute-force vulnerability by implementing proper attempt restrictions. Network segmentation should be employed to isolate these devices from general IT networks and restrict access to trusted management systems only. Implementing intrusion detection systems (IDS) and monitoring for unusual authentication attempts or repeated PIN entry failures can provide early warning of brute-force attempts. Organizations should also enforce strict access controls around device serial numbers and related credentials to prevent attackers from obtaining valid identifiers. Where possible, multi-factor authentication (MFA) mechanisms should be layered on top of device authentication to reduce reliance on PINs alone. Additionally, logging and auditing of authentication attempts should be enabled and regularly reviewed to detect and respond to suspicious activities promptly.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
icscert
Date Reserved
2025-07-30T19:03:10.098Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 689626b0ad5a09ad0005336d

Added to database: 8/8/2025, 4:32:48 PM

Last enriched: 8/8/2025, 4:48:36 PM

Last updated: 8/15/2025, 3:33:17 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats