Packet Power EMX and EG

Plan PatchCVSS 9.8ICS-CERT ICSA-25-219-05Aug 7, 2025

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Packet Power EMX and EG devices with firmware versions prior to 4.1.0 contain an authentication bypass vulnerability (CWE-306). An attacker with network access to the device can gain full control without credentials, allowing arbitrary command execution and device configuration changes.

What this means

What could happen

An attacker with network access to an unpatched EMX or EG device can gain complete control without needing credentials, potentially disrupting power monitoring, metering, or data collection functions that the device performs.

Who's at risk

Organizations operating Packet Power EMX or EG power monitoring and metering devices in energy utilities and substations. These devices typically collect and transmit electrical data for load analysis, demand response, and billing functions.

How it could be exploited

An attacker sends a network request to the EMX or EG device on its open port without providing credentials. The device fails to enforce authentication, allowing the attacker to execute commands and alter configuration or data on the device.

Prerequisites

Network reachability to the EMX or EG device on the management interface port
No prior authentication or credentials required

remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 9.8)affects energy infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

EMX: <4.1.0<4.1.04.1.0+

EG: <4.1.0<4.1.04.1.0+

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDEnsure EMX and EG devices are not directly accessible from the internet; disable any external-facing management interfaces

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EMX and EG devices to firmware version 4.1.0 or later

Long-term hardening

0/2

HARDENINGIsolate EMX and EG devices from the general corporate network; restrict network access to authorized management stations only via firewall rules

HARDENINGIf remote access is required, implement a VPN connection to a bastion host or jump server rather than exposing the device directly to untrusted networks

CVEs (1)

CVE-2025-8284

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/616958f2-17ec-4386-9519-10838d470ba3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.