The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory warning about a critical vulnerability in SunPower PVS6 solar power devices that could allow attackers to gain complete control over the systems.
The flaw, tracked as CVE-2025-9696, stems from the use of hardcoded credentials in the device’s BluetoothLE interface, presenting a significant threat to solar energy infrastructure worldwide.
The vulnerability affects SunPower PVS6 versions 2025.06 build 61839 and prior, with a CVSS v4 score of 9.4, indicating its critical severity.
Attackers positioned within Bluetooth range can exploit this weakness to access the device’s servicing interface, enabling them to replace firmware, disable power production, modify grid settings, create SSH tunnels, alter firewall configurations, and manipulate connected devices.
CISA analysts identified that the vulnerability exploits hardcoded encryption parameters and publicly accessible protocol details within the BluetoothLE implementation.
This design flaw transforms what should be a secure maintenance interface into an open gateway for malicious actors. The attack vector requires only adjacent network access with low complexity, making it particularly concerning for solar installations in populated areas.
Technical Attack Mechanism and Exploitation
The vulnerability leverages the inherent weakness in the PVS6’s authentication system, where static credentials provide a consistent entry point for attackers.
Once an attacker establishes a Bluetooth connection using these hardcoded parameters, they gain administrative privileges equivalent to legitimate service personnel.
The exploitation process involves reverse-engineering the publicly available protocol documentation to identify the authentication sequence.
# Simplified representation of the vulnerability
bluetooth_connection = establish_ble_connection(target_device)
if authenticate_with_hardcoded_key(DEFAULT_SERVICE_KEY):
admin_access = True
execute_firmware_replacement()
modify_power_settings()The attack’s sophistication lies in its simplicity – no complex exploits or zero-day techniques are required.
Attackers can potentially develop automated tools to scan for vulnerable devices and compromise them systematically.
The vulnerability’s impact extends beyond individual devices, as compromised units could serve as pivots to access broader energy infrastructure networks.
Notably, SunPower has not responded to CISA’s coordination attempts, leaving users without official patches.
CISA recommends implementing network isolation, using VPNs for remote access, and deploying comprehensive monitoring systems to detect unauthorized access attempts.
Organizations should prioritize updating affected devices once patches become available and consider temporarily disabling Bluetooth functionality where operationally feasible.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
