A critical vulnerability (CVE-2025-9696, CVSS v4: 9.4) in SunPower’s PVS6 photovoltaic inverters allows attackers within 100 meters via Bluetooth Low Energy (BLE) to bypass authentication using hard-coded encryption keys, gaining full administrative control. Exploiting this flaw enables adversaries to replace firmware with malicious backdoors, disable power production, or alter grid-tie settings, risking grid instability, unsafe operating conditions, or forced offline states. Attackers can also establish persistent remote access via SSH tunnels, modify firewall rules to expose connected energy-storage systems, and compromise environmental sensors.The vulnerability affects global deployments across residential, commercial, and utility-scale sites in North America, Europe, Asia, and Australia, threatening critical energy infrastructure. All PVS6 units running firmware ≤ 2025.06 build 61839 are vulnerable. SunPower’s lack of coordination with CISA before disclosure exacerbates risks, leaving operators to implement emergency mitigations such as network isolation, BLE range restrictions, and VPN-enforced remote access while awaiting patches. Though no public exploitation is confirmed, the low attack complexity and high potential for economic/systems disruption demand urgent action to prevent large-scale energy sector compromise.
Source: https://cyberpress.org/sunpower-vulnerability/
TPRM report: https://www.rankiteo.com/company/sunpower-corporation
"id": "sun457090325",
"linkid": "sunpower-corporation",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'Operators of PVS6 inverters '
'(residential, commercial, '
'utility-scale)',
'industry': ['Renewable Energy',
'Solar Technology',
'Critical Infrastructure'],
'location': 'United States (HQ), Global Deployments '
'(North America, Europe, Asia, Australia)',
'name': 'SunPower Corporation',
'type': 'Manufacturer'}],
'attack_vector': ['Bluetooth Low Energy (BLE)',
'Hard-coded Credentials',
'Proximity-based Attack'],
'customer_advisories': ['Residential/commercial solar system owners',
'Utility-scale energy providers'],
'description': 'A high-severity flaw in SunPower’s PVS6 photovoltaic '
'inverters (CVE-2025-9696, CVSS v4: 9.4) allows adversaries '
'within Bluetooth Low Energy (BLE) range (~100 meters) to '
'bypass authentication via hard-coded encryption parameters, '
'granting full administrative access. Exploitation risks '
'include firmware manipulation, grid instability, backdoor '
'installation, and unauthorized remote access via SSH tunnels. '
'The vulnerability affects all PVS6 units running firmware '
'≤2025.06 build 61839, deployed globally across residential, '
'commercial, and utility-scale energy infrastructure.',
'impact': {'brand_reputation_impact': 'High (due to critical infrastructure '
'risk and lack of coordinated '
'disclosure)',
'customer_complaints': 'Potential (from service disruptions)',
'downtime': 'Potential (forced offline or unsafe operating '
'conditions)',
'financial_loss': 'Potential (economic damage from grid '
'instability, downtime, or remediation costs)',
'legal_liabilities': 'Potential (regulatory non-compliance, '
'failure to engage CISA)',
'operational_impact': ['Grid Instability',
'Power Production Disruption',
'Unsafe Operating Conditions',
'Loss of Administrative Control'],
'revenue_loss': 'Potential (from downtime, reputational damage, or '
'regulatory penalties)',
'systems_affected': ['SunPower PVS6 Photovoltaic Inverters',
'Connected Energy-Storage Systems',
'Environmental Sensors',
'Grid-Tie Infrastructure']},
'initial_access_broker': {'backdoors_established': 'Potential (via firmware '
'replacement or SSH '
'tunnels)',
'entry_point': 'BLE interface with hard-coded '
'credentials',
'high_value_targets': ['Grid-tie settings',
'Energy-storage systems',
'Administrative controls']},
'investigation_status': 'Ongoing (no public exploitation reported; mitigation '
'urged)',
'lessons_learned': ['Critical infrastructure vulnerabilities require '
'coordinated disclosure with agencies like CISA.',
'Hard-coded credentials in BLE interfaces pose severe '
'risks in proximity-based attacks.',
'Layered security (firewalls, VPNs, MFA, monitoring) is '
'essential for industrial control systems.',
'Proactive patch management and physical access controls '
'mitigate exploitation windows.'],
'motivation': ['Potential Sabotage',
'Grid Disruption',
'Unauthorized Control',
'Espionage',
'Financial Gain (via ransomware or data theft)'],
'post_incident_analysis': {'corrective_actions': ['Firmware patch to remove '
'hard-coded credentials',
'Enhanced authentication '
'mechanisms for BLE '
'interfaces',
'Mandatory CISA engagement '
'for critical '
'infrastructure '
'vulnerabilities'],
'root_causes': ['Hard-coded encryption keys in BLE '
'servicing interface',
'Lack of pre-disclosure '
'coordination with CISA',
'Insufficient physical access '
'controls for proximity-based '
'attacks']},
'recommendations': ['Immediately isolate PVS6 servicing networks and apply '
'compensating controls.',
'Disable BLE interfaces when not actively used for '
'servicing.',
'Deploy VPNs with MFA for remote access and monitor for '
'anomalies.',
'Contact SunPower for firmware updates and integrity '
'validation.',
'Conduct risk assessments for grid-tie and connected '
'peripheral systems.',
'Implement intrusion detection for industrial protocols '
'(e.g., Modbus, DNP3).',
'Restrict physical access to inverters via shielding or '
'secure enclosures.'],
'references': [{'source': 'Cybersecurity Advisory (Hypothetical)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA engagement '
'lacking '
'(pre-disclosure)']},
'response': {'communication_strategy': ['Public advisory (via media)',
'Operator notifications '
'(recommended)'],
'containment_measures': ['Isolate inverter servicing networks '
'behind dedicated firewalls',
'Separate servicing networks from '
'business/public networks',
'Restrict BLE range via physical '
'shielding or disabling interface',
'Route remote access through VPNs with '
'MFA'],
'enhanced_monitoring': ['Intrusion detection for industrial '
'control protocols',
'Real-time inverter behavior monitoring',
'Anomaly detection analytics'],
'network_segmentation': 'Recommended (dedicated firewalls for '
'servicing networks)',
'remediation_measures': ['Apply firmware updates/patches (when '
'available)',
'Validate servicing interface integrity',
'Disable BLE interface when not in '
'use']},
'stakeholder_advisories': ['Operators of PVS6 inverters',
'Energy sector CISOs',
'Critical infrastructure protection agencies'],
'title': 'Critical Authentication Bypass Vulnerability in SunPower PVS6 '
'Photovoltaic Inverters (CVE-2025-9696)',
'type': ['Vulnerability Exploitation',
'Authentication Bypass',
'Unauthorized Access'],
'vulnerability_exploited': {'affected_software': 'SunPower PVS6 firmware '
'≤2025.06 build 61839',
'cve_id': 'CVE-2025-9696',
'cvss_score': '9.4 (CVSS v4)',
'description': 'Hard-coded encryption parameters '
'in BLE servicing interface, '
'enabling authentication bypass '
'and full administrative access.',
'patch_status': 'Pending (firmware update '
'recommended)'}}