A high-severity flaw in SunPower’s PVS6 photovoltaic inverters has been cataloged as CVE-2025-9696 and assigned a CVSS v4 base score of 9.4, underscoring the grave implications for energy infrastructure worldwide.
This vulnerability enables adversaries within Bluetooth Low Energy (BLE) range to bypass authentication by exploiting hard-coded encryption parameters, potentially granting full administrative access to the device.
Technical Overview
The root cause lies in SunPower’s implementation of its BLE servicing interface, which relies on fixed encryption keys and publicly documented protocol specifications.
An attacker positioned within approximately 100 meters of an affected inverter can leverage these hard-coded credentials to authenticate with the servicing interface without supplying valid user credentials. Once inside, the attacker gains unfettered control over critical device functions.
Firmware replacement allows installation of malicious backdoors or disabling of power production, jeopardizing grid stability and causing economic damage. By altering grid-tie settings, attackers can provoke unsafe operating conditions or force the inverter offline.
Persistent remote access may be established by creating SSH tunnels through the inverter, enabling stealthy command-and-control channels.
Network settings, including firewall rules, can be modified to expose connected peripherals such as energy-storage systems and environmental sensors to compromise further.
With the PVS6 line deployed across residential, commercial, and utility-scale sites in North America, Europe, Asia, and Australia, the potential impact spans critical infrastructure sectors, notably energy generation and distribution.
All PVS6 units running firmware version 2025.06 build 61839 and earlier are confirmed vulnerable.
SunPower, headquartered in the United States, did not engage with the Cybersecurity and Infrastructure Security Agency (CISA) before public disclosure, limiting coordinated response efforts and underscoring the need for immediate defensive action by operators.
Mitigation and Recommendations
To reduce exposure, organizations should isolate inverter servicing networks behind dedicated firewalls and strictly separate them from business and public networks.
Physical measures to restrict BLE range, such as securing inverters within shielded enclosures or disabling the BLE interface when remote servicing is not necessary, will further limit the proximity of attackers.
If remote management remains essential, access must be routed exclusively through up-to-date virtual private networks (VPNs) employing multi-factor authentication, with rigorous patch management applied to VPN endpoints to prevent them from becoming attack vectors.
Deploying layered security controls, including intrusion detection systems configured for industrial control protocols, real-time monitoring of inverter behavior, and anomaly detection analytics, provides defense-in-depth to detect and respond to unauthorized activities.
Operators are strongly encouraged to contact SunPower support for firmware updates or patches as they become available and to validate the integrity of their servicing interfaces.
Although no public exploitation of this vulnerability has been reported, the combination of low attack complexity and high potential impact demands immediate risk assessments and implementation of compensating controls.
Proactive measures are essential to safeguard renewable energy assets against this critical threat.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=SunPower Vulnerability - A high-severity flaw in SunPower’s PVS6 photovoltaic inverters has been cataloged as CVE-2025-9696 and assigned.){kind=link}