Outback Power Mojave Inverter

MonitorCVSS 7.5ICS-CERT ICSA-25-044-17Feb 13, 2025

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Outback Power Mojave Inverter contains information disclosure (CWE-200) and command injection (CWE-77) vulnerabilities in its networking interface. The Mojave Inverter was transferred from Enersys to Outback Power without dedicated security resources. Outback Power has not addressed these vulnerabilities and may discontinue the product. All versions are affected. No patch is planned. Successful exploitation allows an attacker to access sensitive data or inject commands to alter inverter operation.

What this means

What could happen

An attacker with network access to a Mojave Inverter could read sensitive data or inject commands that alter power conversion behavior, potentially disrupting energy distribution or storage operations.

Who's at risk

Energy sector operators using Outback Power Mojave Inverters for power conversion and storage applications, particularly in solar or renewable energy systems where the inverter is networked for monitoring or control.

How it could be exploited

An attacker on the network sends unauthenticated requests to the Mojave Inverter's network interface to extract configuration or operational data (CWE-200), or injects malicious commands (CWE-77) to alter inverter settings or behavior. The inverter accepts these requests with no authentication required.

Prerequisites

Network access to the Mojave Inverter on its configured network interface
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical energy infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Outback Power Mojave Inverter: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable all networking features on the Mojave Inverter immediately

HARDENINGIsolate the Mojave Inverter on a dedicated network segment behind a firewall, blocking all inbound traffic from business and internet networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote monitoring is required, deploy a VPN gateway as the sole access point and restrict access to specific authorized personnel only

Mitigations - no patch available

0/1

Outback Power Mojave Inverter: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlan replacement of the Mojave Inverter with a supported product from Outback Power or another vendor that receives security updates

CVEs (3)

CVE-2025-26473 CVE-2025-25281 CVE-2025-24861

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a67a3735-7b9f-4a77-a515-0e926f906c85

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.