CVE-2025-46414 PUBLISHED

EG4 Electronics EG4 Inverters Improper Restriction of Excessive Authentication Attempts

Assigner: icscert
Reserved: 30.07.2025 Published: 08.08.2025 Updated: 08.08.2025

The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor EG4 Electronics
Product EG4 12kPV
Versions Default: unaffected
  • Version all versions is affected
Vendor EG4 Electronics
Product EG4 18kPV
Versions Default: unaffected
  • Version all versions is affected
Vendor EG4 Electronics
Product EG4 Flex 21
Versions Default: unaffected
  • Version all versions is affected
Vendor EG4 Electronics
Product EG4 Flex 18
Versions Default: unaffected
  • Version all versions is affected
Vendor EG4 Electronics
Product EG4 6000XP
Versions Default: unaffected
  • Version all versions is affected
Vendor EG4 Electronics
Product EG4 12000XP
Versions Default: unaffected
  • Version all versions is affected
Vendor EG4 Electronics
Product EG4 GridBoss
Versions Default: unaffected
  • Version all versions is affected

Workarounds

CVE-2025-46414 was fixed on April 6, 2025. No user action was or is necessary.

For more information, contact EG4. https://eg4electronics.com/contact/

https://eg4electronics.com/contact/

Credits

  • Anthony Rose of BC Security reported these vulnerabilities to CISA. finder

References

Problem Types

  • CWE-307 CWE