CVE-2025-47872 is a medium-severity vulnerability (CWE-203: Information Exposure Through Discrepancy) affecting all versions of the EG4 Electronics EG4 12kPV product. The vulnerability arises from the behavior of the product registration endpoint, which is publicly accessible and responds differently based on the status of the serial number (S/N) submitted. Specifically, the server returns distinct responses if the S/N is valid and unregistered, valid but already registered, or nonexistent in the database. Because serial numbers are assigned sequentially, an attacker can enumerate serial numbers and infer the registration status of each device. This information leakage can be leveraged to profile deployed devices, identify unregistered or potentially vulnerable units, or facilitate targeted attacks or social engineering campaigns. The vulnerability does not directly impact confidentiality of sensitive data beyond the registration status, nor does it affect integrity or availability of the system. Exploitation requires no authentication or user interaction and can be performed remotely over the network. There are no known exploits in the wild at this time, and no patches have been published yet. The CVSS v3.1 base score is 5.8, reflecting a network attack vector with low complexity and no privileges required, but limited impact confined to information disclosure without integrity or availability consequences. This vulnerability is primarily an information disclosure issue that could aid attackers in reconnaissance phases of an attack chain against EG4 12kPV devices.

For European organizations deploying EG4 12kPV devices, this vulnerability could enable attackers to gather intelligence about device deployment and registration status. Such information could be used to identify unregistered devices that might lack updates or support, increasing their risk profile. Attackers could also use this data to craft targeted phishing or social engineering attacks against device owners or administrators. While the vulnerability does not directly compromise device functionality or data confidentiality beyond registration status, the exposure of deployment details could facilitate subsequent attacks or unauthorized access attempts. In critical infrastructure or industrial environments where EG4 12kPV devices may be used, this reconnaissance capability could aid adversaries in planning more damaging attacks. However, the absence of integrity or availability impact limits immediate operational risks. The vulnerability's ease of exploitation without authentication increases its attractiveness for remote attackers conducting large-scale scanning or profiling campaigns.

To mitigate this vulnerability, EG4 Electronics should implement uniform response messages for the product registration endpoint that do not reveal the existence or registration status of serial numbers. Rate limiting and anomaly detection should be applied to the registration endpoint to prevent automated enumeration attempts. Organizations should monitor network traffic for suspicious scanning activity targeting the registration service. Where possible, restrict access to the registration endpoint to authorized users or networks, for example by IP whitelisting or VPN access. Additionally, organizations should maintain an accurate inventory of deployed EG4 12kPV devices and ensure all devices are registered promptly to reduce the window of exposure for unregistered units. Security awareness training should include information about this vulnerability to help staff recognize potential social engineering attempts leveraging registration status information. Finally, EG4 Electronics should prioritize releasing a patch or update that addresses this information disclosure issue.