CVE-2026-25599 - Vulnerability Details

- Missing authentication and clear‑text data transmission affecting Orca heat pumps

Description

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an
unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an
attacker to impersonate a legitimate device and inject malicious
payloads. This enables the insertion of harmful code directly
into the Orca user portal, potentially compromising user accounts,
exposing sensitive information, and allowing further unauthorized
actions within the portal.

Published: 2026-06-01

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from missing authentication and clear‑text data transmission between Orca heat pumps and the control server, combined with absent input validation on received aggregated data. This allows attackers to store cross‑site scripting payloads that can steal session cookies from the pump’s web control interface, leading to theft of user credentials and the possibility of further unauthorized actions within the user portal.

Affected Systems

Affected products are Orca Energy’s Orca heat pump and its Orca user portal. Older heat pump devices that communicate with the control server over an unencrypted and unauthenticated HTTP connection on a non‑secure port are particularly vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and the EPSS score is not available, while the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely over the network by impersonating a legitimate device and injecting malicious code, which then executes stored XSS in the user portal to steal cookies and potentially compromise user accounts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Orca Energy

Orca heat pump

unaffected

Version	Status	Constraints
`0`	affected	< 2.1.0

Orca Energy

Orca user portal

unaffected

Version	Status	Constraints
`0`	affected	< 1.19

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the heat pump firmware to a version that requires authenticated and encrypted communication with the control server
Patch the user portal to validate and sanitize all aggregated data before rendering to eliminate the stored XSS avenue
Deploy a web application firewall or enforce browser security controls to block XSS attempts until official patches are applied

Generated by OpenCVE AI on June 1, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.cert.si/en/cve-2026-25599/

History

Mon, 01 Jun 2026 11:00:00 +0000

Type	Values Removed	Values Added
Description		Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an attacker to impersonate a legitimate device and inject malicious payloads. This enables the insertion of harmful code directly into the Orca user portal, potentially compromising user accounts, exposing sensitive information, and allowing further unauthorized actions within the portal.
Title		Missing authentication and clear‑text data transmission affecting Orca heat pumps
Weaknesses		CWE-306 CWE-319 CWE-79
References		https://www.cert.si/en/cve-2026-25599/
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: ENISA

Published: 2026-06-01T09:17:51.060Z

Updated: 2026-06-01T13:01:21.955Z

Reserved: 2026-02-03T07:24:49.547Z

Link: CVE-2026-25599

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-01T11:16:24.643

Modified: 2026-06-01T11:16:24.643

Link: CVE-2026-25599

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T12:30:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object