Plaintext Communication Vulnerability in Inverter from EG4 Electronics
CVE-2025-52586

7.5HIGH

Key Information:

Vendor: Eg4 Electronics
Status: Eg4 12kpv; Eg4 18kpv; Eg4 Flex 21; Eg4 Flex 18
Vendor: CVE Published:; 8 August 2025

🔔 Create Eg4 Electronics Vulnerability Alert

What is CVE-2025-52586?

The communication between the monitoring application and the inverter utilizes MOD3 command traffic transmitted in plaintext, lacking encryption or obfuscation. This design flaw potentially exposes critical data to local network attackers, who could intercept and manipulate read/write operations related to voltage, current, and power settings. Additionally, they may control system alarms, telemetry data, and reset functions, possibly leading to operational disruption or unauthorized reconfiguration of inverter parameters.

Affected Version(s)

EG4 12000XP all versions

EG4 12kPV all versions

EG4 18kPV all versions

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-2...

https://eg4electronics.com/contact/

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 8, 2025
Vulnerability Reserved
Jul 30, 2025

Credit

Anthony Rose of BC Security reported these vulnerabilities to CISA.