PatchSiren cyber security CVE debrief
CVE-2025-6185 Leviton CVE debrief
CVE-2025-6185 is a publicly disclosed cross-site scripting issue affecting Leviton AcquiSuite (A8810) and Leviton Energy Monitoring Hub (A8812). According to the CISA advisory published on 2025-07-17, an attacker can place a malicious payload in URL parameters that may execute in a user’s browser, enabling session token theft and control of the service. The advisory rates the issue CVSS 9.3 (Critical).
- Vendor
- Leviton
- Product
- AcquiSuite
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-17
- Original CVE updated
- 2025-07-17
- Advisory published
- 2025-07-17
- Advisory updated
- 2025-07-17
Who should care
Industrial control system and building/energy monitoring operators using Leviton AcquiSuite A8810 or Energy Monitoring Hub A8812 should treat this as a priority browser-side exposure, especially where authenticated users access the interface remotely or from shared workstations.
Technical summary
The supplied advisory describes a reflected or parameter-driven XSS condition in the affected Leviton web interface. The malicious content is delivered through URL parameters and executes in the victim’s browser when a user follows the crafted link. The impact described by the source includes theft of session tokens and unauthorized control of the service. The provided CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N, consistent with network reachability, required user interaction, and high confidentiality/integrity impact.
Defensive priority
High. The issue is critical by CVSS, affects browser-mediated access to OT/ICS-related products, and can lead to session compromise and service manipulation. Prioritize exposure reduction, access restrictions, and vendor remediation tracking.
Recommended defensive actions
- Identify whether Leviton AcquiSuite A8810 or Energy Monitoring Hub A8812 is deployed anywhere in the environment.
- Limit access to the management interface to trusted networks and administrative users only.
- Warn users not to open untrusted links targeting the affected service, especially links containing crafted URL parameters.
- Apply vendor or CISA guidance as soon as it becomes available; the advisory states Leviton had not responded to CISA mitigation requests at publication time.
- Contact Leviton customer support for product-specific remediation information.
- Review logs for unusual requests involving URL parameters and for suspicious browser-session activity.
- Ensure session handling and authentication controls are as strong as possible on exposed management interfaces until remediation is confirmed.
Evidence notes
All substantive claims come from the supplied CISA CSAF advisory item for ICSA-25-198-01 and its embedded metadata. The source explicitly identifies the affected products as Leviton AcquiSuite: A8810 and Leviton Energy Monitoring Hub: A8812, describes malicious URL-parameter payload execution in a browser, and states the possible theft of session tokens and control of the service. The advisory publication and modification dates are both 2025-07-17. No KEV entry or exploit details were provided in the source corpus.
Official resources
-
CVE-2025-6185 CVE record
CVE.org
-
CVE-2025-6185 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2025-07-17 in advisory ICSA-25-198-01. The supplied source indicates this was the initial publication and shows no KEV listing in the provided data.