MEDIUM
Orca Energy
CVE published 2026-06-01
CVE-2026-25599
CVE-2026-25599 documents multiple security weaknesses in older Orca heat pump devices that communicate with the Orca server over unencrypted, unauthenticated HTTP on a non-secure port. The vulnerability chain begins with missing authentication (CWE-306) and clear-text transmission of data (CWE-319), which allows an attacker to impersonate a legitimate device. This impersonation capability, combined with a [truncated]