The flaw, tracked as CVE-2025-9696, stems from the use of hardcoded credentials in the device’s BluetoothLE interface, presenting a significant threat to solar energy infrastructure worldwide.
The vulnerability affects SunPower PVS6 versions 2025.06 build 61839 and prior, with a CVSS v4 score of 9.4, indicating its critical severity.
Attackers positioned within Bluetooth range can exploit this weakness to access the device’s servicing interface, enabling them to replace firmware, disable power production, modify grid settings, create SSH tunnels, alter firewall configurations, and manipulate connected devices.
CISA analysts identified that the vulnerability exploits hardcoded encryption parameters and publicly accessible protocol details within the BluetoothLE implementation.
This design flaw transforms what should be a secure maintenance interface into an open gateway for malicious actors. The attack vector requires only adjacent network access with low complexity, making it particularly concerning for solar installations in populated areas.
The vulnerability leverages the inherent weakness in the PVS6’s authentication system, where static credentials provide a consistent entry point for attackers.
Once an attacker establishes a Bluetooth connection using these hardcoded parameters, they gain administrative privileges equivalent to legitimate service personnel.
The exploitation process involves reverse-engineering the publicly available protocol documentation to identify the authentication sequence.
# Simplified representation of the vulnerability
bluetooth_connection = establish_ble_connection(target_device)
if authenticate_with_hardcoded_key(DEFAULT_SERVICE_KEY):
admin_access = True
execute_firmware_replacement()
modify_power_settings()The attack’s sophistication lies in its simplicity – no complex exploits or zero-day techniques are required.
Attackers can potentially develop automated tools to scan for vulnerable devices and compromise them systematically.
The vulnerability’s impact extends beyond individual devices, as compromised units could serve as pivots to access broader energy infrastructure networks.
Notably, SunPower has not responded to CISA’s coordination attempts, leaving users without official patches.
CISA recommends implementing network isolation, using VPNs for remote access, and deploying comprehensive monitoring systems to detect unauthorized access attempts.
Organizations should prioritize updating affected devices once patches become available and consider temporarily disabling Bluetooth functionality where operationally feasible.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post CISA Warns of Critical SunPower Device Vulnerability Let Attackers Gain Full Device Access appeared first on Cyber Security News.
Typecadence is a JavaScript library that provides an animated typing effect that simulates natural human…
A recent investigation by Ctrl-Alt-Intel has uncovered a sophisticated cyberattack targeting cryptocurrency organizations. The attackers,…
The RedAlert mobile espionage campaign has become a critical threat during the ongoing Israel-Iran conflict,…
A critical zero-click vulnerability has been disclosed in the AVideo platform, a widely used open-source…
A recent investigation by Moonlock Lab has uncovered a sophisticated malware campaign targeting cryptocurrency and…
A critical vulnerability in Apache ActiveMQ, a widely used open-source message broker, could allow threat…
This website uses cookies.