OTPulse
FeedAboutContact

Enphase Envoy

Monitor6.3ICS-CERT ICSA-23-171-01Jun 20, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Enphase Envoy D7.0.88 contains an OS command injection vulnerability that allows an authenticated attacker to execute arbitrary commands with root privileges. Successful exploitation could grant complete control of the gateway, affecting inverter management and grid power export. The vulnerability is exploitable over the network by users with valid login credentials.

What this means
What could happen
An attacker with login credentials could gain root-level control of the Envoy gateway, potentially allowing them to alter solar inverter settings, disable monitoring, or disrupt power production and export to the grid.
Who's at risk
Solar power system operators and facility managers running Enphase Envoy gateways at residential, commercial, or utility-scale solar installations. This affects anyone responsible for microinverter monitoring and control systems that depend on the Envoy device.
How it could be exploited
An attacker with valid user credentials could authenticate to the Envoy web interface or API and inject system commands that execute with root privileges. This would give them direct control over the gateway's functions, including inverter configuration and power export controls.
Prerequisites
  • Valid user credentials for Envoy web interface or API access
  • Network access to the Envoy device on the local network or via exposed web interface
Requires valid credentials (authenticated attack)Remotely exploitable over networkLow complexity exploitationAffects power generation and export control
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Envoy: D7.0.88D7.0.887.3.130 (North America) / 7.6.175 (Europe and rest of world)
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDRestrict network access to the Envoy device - do not expose the web interface directly to the Internet
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Envoy to IQ Gateway Software version 7.3.130 (North America) or 7.6.175 (Europe/rest of world)
Long-term hardening
0/3
HARDENINGPlace the Envoy device behind a firewall and isolate it from business network systems
HARDENINGIf remote access to the Envoy is required, use a VPN connection instead of direct Internet exposure
HARDENINGEnforce strong passwords for all Envoy user accounts
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ef30f781-c074-4fa0-b5c9-daabb5021b0c
Enphase Envoy | CVSS 6.3 - OTPulse