Critical Vulnerability Information Vulnerability ID MNDT-2025-0002 Description EnerSys AMPA versions 24.04 through 24.16 (inclusive) contain a command injection vulnerability that could lead to privileged remote shell access. Impact High: This vulnerability allows remote shell access without authentication, enabling entities to execute unauthorized code on the device. Exploitability High: Any unauthenticated network user can exploit this vulnerability to gain remote shell access. CVE ID CVE-2024-12442 Common Weakness Enumeration CWE-77: Improper Neutralization of Special Elements in a Command (Command Injection) Remediation The issue has been fixed in AMPA version 24.17. Details Products currently using the EnerSys library include Alpha XM3.1 Broadband UPS and Alpha Gateway firmware. The following versions are not affected by this vulnerability: Alpha XM3.1 Broadband UPS 1.10.01 and higher Alpha Gateway firmware 2.07.01 and higher Refer to the referenced EnerSys product security advisory for additional details. Discoverers Nick Guttila, Mandiant Neal Trischitta, Mandiant Disclosure Timeline November 18, 2024 – Discovered by Mandiant during active testing of version 1.10.0 December 5, 2024 – Patched by EnerSys in AMPA version 24.17 April 23, 2025 – Disclosed by EnerSys via CVE-2024-12442 References https://www.energys.com/ https://www.energys.com/en/products/cable-broadband-solutions/broadband-ups/xm3.1-hp-broadband-ups/ https://www.energys.com/4996df/globalassets/documents/corporate/cve/enersys%5fcve-2024-12442-final.pdf