The Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a high-severity alert (ICSA-25-245-03) regarding a critical vulnerability in SunPower’s PVS6 solar inverter series that allows attackers on adjacent networks to gain complete control of the device.
Rated 9.4 out of 10 on the CVSS v4 scale, the vulnerability stems from hard-coded credentials in the Bluetooth Low Energy (BLE) servicing interface and poses an urgent risk to energy infrastructure worldwide.
CISA’s executive summary warns that successfully exploiting this weakness could enable adversaries to replace firmware, alter grid settings, disable power production, establish unauthorized SSH tunnels, and manipulate connected devices.
Given the PVS6’s widespread deployment in residential and commercial solar installations, exploitation could disrupt power generation, damage equipment, or facilitate broader attacks on industrial control systems (ICS).
SunPower PVS6 units running firmware versions 2025.06 build 61839 and earlier are confirmed vulnerable.
The vulnerability, tracked as CVE-2025-9696, arises from the use of hard-coded encryption parameters and public protocol details in the BLE interface.
An attacker within Bluetooth range—approximately 50 meters under ideal conditions—can leverage these credentials to access the device’s servicing port, designed for maintenance operations.
Because the vulnerability is exploitable with low complexity and requires no user interaction or prior privileges, it poses a significant threat to critical infrastructure.
CISA emphasizes that while the attack cannot be launched remotely over the internet, many installations expose Bluetooth interfaces without proper network segmentation, effectively placing devices within reach of malicious actors.
Technical Details
- Vulnerability: Use of hard-coded credentials in BLE servicing interface (CWE-798).
- CVSS v3.1 Base Score: 9.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
- CVSS v4 Base Score: 9.4 (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
- Researcher: Dagan Henderson.
- Affected Sectors: Energy, with global deployments.
- Release Date: September 2, 2025.
CISA’s advisory details that hard-coded credentials allow decryption and unauthorized commands to the servicing interface.
Once inside, attackers can upload malicious firmware images, introduce persistent backdoors, and reconfigure firewall and network settings to maintain access or pivot to other ICS assets.
Mitigations
SunPower has not publicly responded to CISA’s coordination requests. In the interim, CISA recommends the following defensive measures:
- Network Segmentation: Place all PVS6 devices behind firewalls and separate from business and public networks. Ensure Bluetooth interfaces are disabled or isolated from general-purpose devices.
- Limit Exposure: Remove direct internet access for control interfaces. Where remote servicing is necessary, require connection only via hardened Virtual Private Networks (VPNs) with up-to-date firmware and multifactor authentication.
- Access Control: Implement strict Bluetooth pairing policies, using dedicated, non-public credentials, and continuously monitor for unauthorized BLE connections.
- Impact Analysis: Conduct risk assessments before deploying defensive measures to verify operational continuity and safety.
CISA also directs organizations to its ICS recommended practices portal for further guidance, including “Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies” and “Targeted Cyber Intrusion Detection and Mitigation Strategies.”
To guard against social engineering, users should avoid clicking unsolicited links or attachments and consult CISA’s phishing and email scam resources.
While CISA has not received reports of active exploitation targeting CVE-2025-9696, the advisory stresses that the vulnerability remains dangerous until patched. Organizations are urged to treat this as a high-priority remediation task.
Owners of SunPower PVS6 devices should immediately verify firmware versions and seek updated releases from SunPower.
As CISA continues to monitor incident reports, any observed malicious activity should be reported to CISA’s Incident Response Team for correlation and wider community protection.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
