CVE-2026-25599

Missing authentication and clear‑text data transmission affecting Orca heat pumps

Assigner: ENISA
Reserved: 03.02.2026 Published: 01.06.2026 Updated: 01.06.2026

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an attacker to impersonate a legitimate device and inject malicious payloads. This enables the insertion of harmful code directly into the Orca user portal, potentially compromising user accounts, exposing sensitive information, and allowing further unauthorized actions within the portal.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVSS Score: 6.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Orca Energy
Product	Orca heat pump
Versions	Default: unaffected affected from 0 to 2.1.0 (excl.)

Vendor

Orca Energy

Product

Orca heat pump

Versions

Default: unaffected

affected from 0 to 2.1.0 (excl.)

Vendor	Orca Energy
Product	Orca user portal
Versions	Default: unaffected affected from 0 to 1.19 (excl.)

Vendor

Orca Energy

Product

Orca user portal

Versions

Default: unaffected

affected from 0 to 1.19 (excl.)

Credits

Tom Kern, NIL d.o.o. finder

References

Problem Types