Leviton AcquiSuite and Energy Monitoring Hub

Plan PatchCVSS 9.3ICS-CERT ICSA-25-198-01Jul 17, 2025

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the web interface of Leviton AcquiSuite (A8810) and Energy Monitoring Hub (A8812) devices. An attacker can craft a malicious URL with JavaScript code embedded in parameters that executes when a user accesses the affected device's web interface. Successful exploitation allows the attacker to steal the user's session token and assume authenticated control of the energy monitoring system. Leviton has not engaged with CISA on mitigation and no patch is available.

What this means

What could happen

An attacker could inject malicious code into a URL that executes in the browser of a user accessing the AcquiSuite or Energy Monitoring Hub web interface, allowing them to steal session credentials and take control of the monitoring system, potentially disrupting visibility into energy consumption and operational metrics.

Who's at risk

This vulnerability affects energy monitoring and data collection systems used in utilities and facilities to track power consumption and grid operations. It is primarily relevant to energy utilities, facility managers, and building automation teams that operate Leviton AcquiSuite and Energy Monitoring Hub devices for real-time energy visibility and reporting.

How it could be exploited

An attacker crafts a malicious URL containing JavaScript code in URL parameters and tricks a user (engineer, operator, or administrator) into clicking the link or accessing it via phishing email. When the victim clicks the link and accesses the Leviton device's web interface, the malicious script executes in their browser, steals their session token, and grants the attacker authenticated access to control the monitoring system.

Prerequisites

User must click a malicious link or visit a crafted URL
User must be authenticated to the AcquiSuite or Energy Monitoring Hub web interface
The device must be reachable from the network where the user is located
No special credentials or configuration required beyond normal user access

Remotely exploitable via crafted URLNo authentication required to craft exploitLow complexity to exploitNo patch available from vendorAffects energy monitoring and control visibilitySocial engineering vector (phishing/link clicking)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

AcquiSuite: A8810A8810No fix yet

Energy Monitoring Hub: A8812A8812No fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to the AcquiSuite and Energy Monitoring Hub web interfaces to trusted administrative workstations only using firewall rules; block all external access from the Internet

HARDENINGPlace AcquiSuite and Energy Monitoring Hub devices behind a firewall and on an isolated network segment separate from business networks and Internet-facing systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDIf remote access to these devices is required, implement a VPN with strong authentication and keep VPN software updated to the latest version

HOTFIXContact Leviton customer support to inquire about firmware updates, security patches, or replacement options for these products

Long-term hardening

0/1

HARDENINGTrain users and operators not to click links in unsolicited emails or messages that direct them to the web interface; verify all links before clicking

CVEs (1)

CVE-2025-6185

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/92ea21b9-2f55-40f8-8fcc-d06262f64f94

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.