Leviton AcquiSuite and Energy Monitoring Hub

Act Now9.3ICS-CERT ICSA-25-198-01Jul 17, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A cross-site scripting (XSS) vulnerability in Leviton AcquiSuite (A8810) and Energy Monitoring Hub (A8812) allows an attacker to craft a malicious payload in URL parameters that executes in a client browser. If a user visits a crafted URL, the attacker can steal session tokens and take control of the monitoring service. The vulnerability requires user interaction (clicking a malicious link) but has a high impact on confidentiality and integrity.

What this means

What could happen

An attacker could steal a user's session token and gain unauthorized control of the energy monitoring service, potentially allowing them to modify energy readings, disable alerts, or disrupt visibility into power consumption and grid status.

Who's at risk

Energy utilities and facilities managers using Leviton AcquiSuite or Energy Monitoring Hub for real-time energy monitoring and management should be concerned. These devices are often accessed by operators and engineers through web dashboards; compromise could allow unauthorized modifications to monitoring configurations or theft of operational data.

How it could be exploited

An attacker crafts a malicious URL containing JavaScript code in a URL parameter, then tricks a user (administrator or operator) into clicking the link in an email, chat, or web page. When the user visits the URL, the JavaScript executes in their browser with their session permissions, allowing the attacker to steal their session token and impersonate them to the monitoring hub.

Prerequisites

User must click a malicious link (social engineering)
User must be authenticated to the monitoring service
User must use a standard web browser without advanced XSS protections

remotely exploitableuser interaction required (social engineering)no patch availablehigh CVSS score (9.3)allows session hijacking and service control

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

AcquiSuite: A8810A8810No fix yet

Energy Monitoring Hub: A8812A8812No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGMinimize network exposure: ensure AcquiSuite and Energy Monitoring Hub are not accessible from the Internet

HARDENINGIsolate control system network behind a firewall, separate from business networks

HARDENINGIf remote access is required, use a VPN and keep the VPN software updated to the latest version

Long-term hardening

0/2

HARDENINGTrain operators and administrators not to click links in unsolicited emails and to verify URLs before visiting them

HARDENINGMonitor for suspicious activity in audit logs and report suspected malicious activity to CISA

CVEs (1)

CVE-2025-6185

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/92ea21b9-2f55-40f8-8fcc-d06262f64f94