Packet Power EMX and EG

Act Now9.8ICS-CERT ICSA-25-219-05Aug 7, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A missing authentication vulnerability in Packet Power EMX and EG devices (versions prior to 4.1.0) allows an attacker to gain full access and execute arbitrary commands on the device without providing credentials. The vulnerability is caused by insufficient access controls (CWE-306). EMX and EG devices are power metering and monitoring systems used in energy management and grid visibility applications. Successful exploitation would grant complete control over the device's functions, data, and configuration.

What this means

What could happen

An unauthenticated attacker with network access to an EMX or EG device could gain full control and run arbitrary commands, potentially altering power metering data, disabling monitoring, or interfering with energy management functions critical to grid operations.

Who's at risk

Energy utilities and facilities using Packet Power EMX or EG power metering and monitoring devices should prioritize this. These devices are commonly deployed in substations, data centers, and industrial plants to monitor electrical consumption and system health. If compromised, an attacker could manipulate metering data or shut down monitoring, creating blind spots in grid visibility.

How it could be exploited

An attacker reaches the device over the network and sends a specially crafted request to exploit the missing authentication check (CWE-306). No credentials or user interaction are needed. Once inside, the attacker has unrestricted access to the device's functions and configuration.

Prerequisites

Network reachability to the EMX or EG device
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)no patch available for older versionsaffects energy infrastructure

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

EMX: <4.1.0<4.1.04.1.0 or later

EG: <4.1.0<4.1.04.1.0 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to EMX and EG devices using firewall rules—allow only connections from trusted engineering workstations and SCADA systems; deny all internet-facing access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EMX and EG devices to version 4.1.0 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate power metering and monitoring devices from general IT networks and the internet

HARDENINGIf remote access is required, use a VPN with current security patches and strong authentication

CVEs (1)

CVE-2025-8284

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/616958f2-17ec-4386-9519-10838d470ba3