GCVE - cpe:2.3:a:eg4_electronics:eg4_flex_18:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:eg4_electronics:eg4_flex_18:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Eg4 Electronics (`97587b59-b331-51c8-9640-b550d849400e`)
Product	Eg4 Flex 18 (`8e8d0e00-82f3-5bf1-aee5-4bef15264167`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-53520`	vulnerable	2026-06-08 07:31:14.656480	EG4 Electronics EG4 Inverters Download of Code Without Integrity Check HIGH (8.8) The affected product allows firmware updates to be downloaded from EG4's website, transferred via USB dongles, or installed through EG4's Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection. Published: 2025-08-08T16:09:02.072Z Updated: 2025-08-08T19:12:44.942Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07 https://eg4electronics.com/contact/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-52586`	vulnerable	2026-06-08 07:31:11.917604	EG4 Electronics EG4 Inverters Cleartext Transmission of Sensitive Information MEDIUM (6.9) The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings. Published: 2025-08-08T16:00:43.694Z Updated: 2025-09-08T17:06:06.953Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07 https://eg4electronics.com/contact/ https://eg4electronics.com/wp-content/uploads/2025/09/EG4-Wi-Fi-Dongle-Dongle-Firmware-Update.pdf	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-47872`	vulnerable	2026-06-08 07:27:14.961969	EG4 Electronics EG4 Inverters Observable Discrepancy MEDIUM (5.8) The public-facing product registration endpoint server responds differently depending on whether the S/N is valid and unregistered, valid but already registered, or does not exist in the database. Combined with the fact that serial numbers are sequentially assigned, this allows an attacker to gain information on the product registration status of different S/Ns. Published: 2025-08-08T16:14:18.901Z Updated: 2025-08-08T19:13:18.978Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07 https://eg4electronics.com/contact/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-46414`	vulnerable	2026-06-08 07:27:08.205513	EG4 Electronics EG4 Inverters Improper Restriction of Excessive Authentication Attempts HIGH (8.1) The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025. Published: 2025-08-08T16:17:43.727Z Updated: 2025-08-08T19:13:44.835Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07 https://eg4electronics.com/contact/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.