CVE-2025-26473 Outback Power CVE debrief

Who should care

Operators and asset owners using Outback Power Mojave Inverter devices, along with OT/ICS security teams and network administrators responsible for industrial control environments.

Technical summary

The advisory identifies a confidentiality weakness in the Mojave Inverter: sensitive information is handled over HTTP GET rather than a safer method. The published CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a network-reachable issue with high confidentiality impact and no stated integrity or availability impact. CISA’s remediation guidance says the product may be discontinued and recommends disabling networking features until a replacement can be acquired.

Defensive priority

High for exposed or internet-reachable deployments, and high for any operational environment where the device handles sensitive data over its network interface.

Recommended defensive actions

• Identify all Outback Power Mojave Inverter assets in your environment.
• Disable networking features on affected devices as CISA recommends, until a replacement product can be acquired.
• Restrict network access to the device and minimize exposure to trusted management paths only.
• Review whether any sensitive data is being requested or transmitted through GET-based endpoints.
• Monitor CISA advisory updates and vendor communications for any product replacement or additional guidance.

Evidence notes

Source corpus is limited to the CISA CSAF advisory and official references. The advisory explicitly states: "The Mojave Inverter uses the GET method for sensitive information." It also states that the product was originally an Enersys product, was moved to Outback Power, may be discontinued, and has not yet been addressed by the vendor. CISA’s listed mitigation is to disable networking features until a replacement product can be acquired. No KEV listing was provided in the supplied data.

Official resources