CISA Alert: Critical Flaw (CVE-2025-8284) in Packet Power Devices Allows Unauthenticated Remote Takeover

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-severity alert for a missing authentication vulnerability affecting Packet Power products, warning that successful exploitation “could allow an attacker to gain full access to the device without authentication.”

The flaw, tracked as CVE-2025-8284 and rated CVSS 9.8, impacts:

• EMX: Versions prior to 4.1.0
• EG: Versions prior to 4.1.0

According to the advisory, the Packet Power Monitoring and Control Web Interface “does not enforce authentication mechanisms” by default. This means an attacker with network access could gain unauthorized control over monitoring and management functions without needing credentials.

Security researchers Anthony Rose and Jacob Krasnov of BC Security discovered and reported the flaw to CISA.

The absence of authentication allows adversaries to:

• View and manipulate operational data
• Alter device configurations
• Potentially disrupt or control connected systems

Given the critical role these devices can play in data center and industrial power monitoring, the risk extends to operational continuity and physical infrastructure safety.

Packet Power advises all customers to:

• Update to version 4.1.0 or later immediately
• Isolate devices from untrusted networks where possible

CISA further recommends:

• Minimizing network exposure for all control systems, ensuring they are not accessible from the internet
• Using secure remote access methods such as VPNs — while noting that VPNs must be kept fully updated and are only as secure as the connected endpoints

Related Posts:

• Security flaws in critical infrastructure software could have meant disaster
• Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
• GitHub Security Alerts has detected over 4 million vulnerabilities