Brute-force Vulnerability in Electronics Device API from EG4 Electronics
CVE-2025-46414

9.2CRITICAL

Key Information:

Vendor: Eg4 Electronics
Status: Eg4 12kpv; Eg4 18kpv; Eg4 Flex 21; Eg4 Flex 18
Vendor: CVE Published:; 8 August 2025

🔔 Create Eg4 Electronics Vulnerability Alert

What is CVE-2025-46414?

A security flaw in the EG4 Electronics API allows for brute-force attacks due to a lack of limits on PIN input attempts for registered devices. An attacker with access to a valid device serial number can exploit this vulnerability to gain unauthorized access to the product. Moreover, the API's feedback mechanism provides detailed confirmation when a correct PIN is entered, making brute-force methods more effective. This issue affects several products and was addressed with a server-side update on April 6, 2025.

Affected Version(s)

EG4 12000XP all versions

EG4 12kPV all versions

EG4 18kPV all versions

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-2...

https://eg4electronics.com/contact/

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 8, 2025
Vulnerability Reserved
Jul 30, 2025

Credit

Anthony Rose of BC Security reported these vulnerabilities to CISA.