Outback Power Mojave Inverter

Monitor7.5ICS-CERT ICSA-25-044-17Feb 13, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Outback Power Mojave Inverter contains information disclosure (CWE-200) and command injection (CWE-77) vulnerabilities. An attacker with network access can extract sensitive data or inject commands without authentication. The product was transferred from Enersys to Outback Power, which lacks resources to maintain it. Outback Power has not released patches and may discontinue the product.

What this means

What could happen

An attacker with network access to a Mojave Inverter could read sensitive data (such as operational parameters or credentials) or inject commands that alter inverter operation or settings without authentication.

Who's at risk

Energy sector operators managing distributed solar or battery storage systems that use the Outback Power Mojave Inverter for power conversion and grid interface. This affects anyone relying on this inverter for renewable energy systems or backup power where the inverter's networking capability is currently enabled.

How it could be exploited

An attacker on the network can send crafted requests directly to the Mojave Inverter's exposed networking interface. The inverter fails to properly validate or authenticate these requests, allowing the attacker to extract sensitive information or execute commands on the device.

Prerequisites

Network access to the Mojave Inverter (typically TCP/UDP ports used for device management or monitoring)
No credentials or authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects energy generation or storage equipment

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Outback Power Mojave Inverter: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDDisable networking features on the Mojave Inverter until a replacement product is procured

HARDENINGPlace the Mojave Inverter behind a firewall and isolate it from the business network

HARDENINGEnsure the Mojave Inverter is not reachable from the internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGDisable any unused functions on the device

HOTFIXEvaluate and procure a replacement product to retire the Mojave Inverter

Mitigations - no patch available

0/1

Outback Power Mojave Inverter: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIf remote access is required, implement a VPN tunnel and keep VPN software updated

CVEs (3)

CVE-2025-26473 CVE-2025-25281 CVE-2025-24861

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a67a3735-7b9f-4a77-a515-0e926f906c85