A newly disclosed vulnerability in SunPower PVS6 solar inverters exposes critical energy infrastructure to takeovers by attackers who merely need to be within Bluetooth range. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued advisory ICSA-25-245-03 on September 2, 2025, detailing how hard-coded encryption parameters in the device’s Bluetooth Low Energy (BLE) servicing interface allow unauthorized parties to gain full administrative access. The flaw, assigned CVE-2025-9696, earned a CVSS v4 score of 9.4 and a CVSS v3.1 score of 9.6, underscoring its severity.
SunPower did not respond to CISA’s coordination attempts, leaving operators without a patch. As a result, owners and service providers must immediately implement compensating controls to reduce risk. The vulnerability affects all PVS6 units running firmware 2025.06 build 61839 and earlier, a fleet deployed worldwide in residential and small-commercial solar installations.
A Bluetooth Backdoor into Grid-Connected Devices
The PVS6 is a string inverter that converts DC power from solar panels into AC power for the grid. Installers and technicians routinely use the BluetoothLE interface for servicing and diagnostics. However, CISA’s advisory reveals that the interface uses hardcoded encryption parameters, effectively giving anyone who can reverse-engineer or publicize the keys a skeleton key to the device’s most sensitive functions.
Because the parameters are fixed and not device-unique, an attacker can derive the session keys required to authenticate as a legitimate service terminal. Paired with publicly accessible protocol details, developing an exploit becomes straightforward. This combination corresponds to CWE-798 (Use of Hard-Coded Credentials), a long-standing weakness that has repeatedly plagued IoT and ICS devices.
Understanding the Attack Flow
An attacker would use a standard Bluetooth 5.0 adapter and open-source tools to scan for PVS6’s BLE advertisement. Because the service UUIDs are public, identifying a target is trivial. The hardcoded encryption parameters allow the attacker to initiate a bonding or service discovery session without needing a pin or passkey. Once bound, the attacker enumerates the GATT services designated for servicing and directly invokes firmware upload or configuration write commands.
Once an attacker establishes a servicing session, the list of possible actions is catastrophic:
- Replace device firmware, enabling persistent backdoors or malicious modifications.
- Disable or throttle power production, causing availability losses.
- Alter grid interconnection settings, which could violate safety and regulatory requirements.
- Create SSH tunnels through the inverter’s network interfaces, pivoting into connected networks.
- Modify firewall rules to allow further remote access.
- Manipulate downstream devices attached to the inverter, such as power optimizers or battery storage systems.
These capabilities make the vulnerability an operational technology (OT) risk that bridges into traditional IT environments. An attacker sitting in a parking lot or neighboring building could, in principle, brick inverters or use them as entry points into broader supervisory control and data acquisition (SCADA) systems if network segmentation is weak.
The ICS Security Blind Spot
Many organizations still treat solar inverters as simple electrical devices, not network-connected computers. This leads to them being placed outside formal vulnerability management programs. This incident shows that any device with a Bluetooth or network interface must be patched and monitored like any other endpoint.
Scoring Breakdown: Why 9.4 is So High
CISA calculated both CVSS v3.1 and v4 vectors. The v4 score of 9.4 reflects an adjacent attack vector (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impacts across all three security dimensions for both the vulnerable component and subsequent systems (VC:H/VI:H/VA:H, SC:H/SI:H/SA:H). Essentially, an attacker needs only proximity and rudimentary knowledge to completely compromise the device and potentially jump to connected infrastructure.
The v3.1 score of 9.6 is similarly grave: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The “Scope Changed” (S:C) flag indicates that the vulnerability allows impact beyond the local component, a critical nuance for OT networks where an inverter might be a stepping stone.
Independent vulnerability trackers, including Tenable and CVE Details, have corroborated these ratings, ensuring that security tools will flag the CVE across asset inventories and scanning platforms.
Vendor Silence Leaves Operators on Their Own
Perhaps most alarming for defenders is SunPower’s non-response to CISA’s coordinated disclosure. The advisory explicitly states that the vendor did not engage, meaning there is currently no official firmware fix, no workaround bulletin, and no timeline for remediation. Operators cannot simply wait for a patch management cycle; they must actively reduce exposure.
CISA’s advisory includes general ICS mitigation recommendations: minimize network exposure for all control system devices, isolate control system networks behind firewalls, and use secure remote access methods like VPNs. These are sound but not tailored to the Bluetooth-specific threat. The forum community expanded on these with practical, immediate steps.
Rapid Response: What to Do in the Next 24 Hours
Security analysts and facility managers should treat this as an active risk and begin containment immediately. The following checklist draws from both CISA’s guidance and operational advice from affected users:
- Disable Bluetooth servicing interfaces on all PVS6 units unless actively needed for maintenance. If the device supports a setting to turn off BLE discoverability, enable it.
- Physically secure inverter locations – lock equipment rooms, ensure rooftop access is controlled, and restrict how close unvetted individuals can get to installed units.
- Inventory affected devices – log all PVS6 inverters, their current firmware builds, and their Bluetooth MAC addresses. Any unit on 2025.06 build 61839 or below is vulnerable.
- Network segmentation – place PVS6 management IP addresses on a dedicated OT VLAN with strict access controls. Block all unnecessary traffic between that segment and the business network.
- Restrict provisioning workstations – only allow authorized, hardened laptops or tablets to connect to inverters over Bluetooth. Ban personal devices and ensure those workstations are patched, not used for general internet access, and monitored for compromise.
- Monitor for suspicious activity – set alerts for unexpected Bluetooth pairing attempts, firmware update logs, new SSH sessions originating from inverter IPs, and modifications to firewall rules. Ingest device logs into a SIEM if possible.
- Prepare incident response – if a unit is suspected of compromise, isolate it from the network and, where safe, from the power system. Do not depend on the device’s own reporting – an attacker may have disabled logging. Re-flash firmware only from signed, verified images once a patch becomes available.
Recommendations for Installers and Service Providers
Use only pre-configured, secure provisioning tablets that have been locked down and are never used for email or web browsing. Implement a strict process: before each service visit, verify the tablet’s firmware and security configuration. After servicing, re-disable Bluetooth on the inverter if possible.
The Windows and IT Admin Perspective
For Windows-centric IT teams that suddenly find themselves managing OT assets, this vulnerability serves as a wake-up call. Many solar inverters are managed through Windows-based provisioning tools or by technicians using Windows laptops. An attacker who compromises that laptop – even through a conventional phishing campaign – could then use its Bluetooth adapter to reach nearby inverters and launch the exploit. Thus, securing the IT endpoint becomes critical to preventing OT exploitation.
Windows administrators should:
- Enforce BitLocker encryption, Windows Defender Firewall rules, and application control on all provisioning workstations.
- Ensure those machines use up-to-date Bluetooth drivers and disable Bluetooth when not in use.
- Enforce multi-factor authentication for all accounts that may access the OT provisioning software.
- Enroll PVS6 devices in Active Directory or Azure AD if they support directory integration, or at least keep a strict asset management database.
- Use Sysmon or Microsoft Defender for Endpoint to log Bluetooth connection events and alert on unusual pairings.
Who Is Most at Risk?
The risk is not uniform. Installations where inverters are placed in publicly accessible areas – such as ground-mounted arrays near fences, rooftop units with easy roof access, or units in shared mechanical rooms – are at highest risk. Sites that frequently service units with rotating contractors and unknown devices amplify the attack surface. Conversely, inverters installed inside locked private garages with no Bluetooth provisioning needs are less exposed, provided the interface is disabled.
Organizations with poor segmentation between OT and IT networks face a compounding danger: a local Bluetooth compromise could allow an attacker to pivot into corporate networks via the inverter’s Ethernet or Wi-Fi interfaces. The advisory warns that attackers could create SSH tunnels, essentially turning the inverter into a rogue network node. This underscores why firewalls between OT and IT are non-negotiable.
The Disclosure and Threat Landscape
While CISA reported no known public exploitation at the time of publication, that assurance carries a shelf life. Once detailed vulnerability information and exploit code inevitably surface, the threat profile will spike. The advisory credits independent researcher Dagan Henderson for the responsible disclosure, but with SunPower unresponsive, the details are now fully public. Defenders should anticipate proof-of-concept code appearing in penetration testing frameworks like Metasploit.
The energy sector is a designated critical infrastructure sector, and CISA’s advisory classifies the vulnerability accordingly. Inverters from numerous manufacturers have faced security scrutiny in recent years, with many found lacking basic protections. This incident is another reminder that devices bridging renewable generation and grid management must be designed with security from the start, not treated as trusted appliances.
Long-term Mitigation and When a Patch Arrives
When SunPower eventually releases updated firmware, operators must proceed with caution. Verify the authenticity of the firmware image by checking digital signatures and SHA-256 hashes against official sources. Test the update on a non-production unit first, as firmware changes can unexpectedly alter power output behavior or invalidate grid interconnection agreements. Do not apply patches received via unsolicited emails or phone calls – CISA warns of social engineering attacks that often follow high-profile vulnerabilities.
In the absence of a patch, organizations should consider whether the inverters can be temporarily taken offline during high-risk periods, but this may not be feasible for economic or operational reasons. Any such decision should involve a formal risk assessment and coordination with utility partners.
Conclusion
CVE-2025-9696 is a textbook case of the danger posed by hard-coded credentials in OT devices. By embedding fixed encryption keys in a Bluetooth service interface, SunPower inadvertently gave attackers a master key to its PVS6 inverters. The CVSS 9.4 rating is deserved because the impact includes total device compromise and potential lateral movement into sensitive energy control networks.
The vulnerability’s mitigation now falls squarely on device owners. CISA’s guidance and community-shared best practices provide a clear path: disable Bluetooth when not needed, lock down physical access, segment networks, monitor aggressively, and prepare for incident response. The energy sector must treat this not just as an academic firmware bug but as a real operational threat that, left unaddressed, could disrupt power generation and open a backdoor into critical IT systems.
Operators should check CISA’s advisory page and SunPower’s official channels regularly for updates. In the meantime, every PVS6 inverter running an older firmware build should be considered a high-priority asset for immediate hardening.