EG4 Electronics EG4 Inverters (Update B)

Plan Patch8.8ICS-CERT ICSA-25-219-07Aug 7, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

EG4 Electronics inverters contain multiple vulnerabilities in firmware update mechanisms and communication security. CVE-2025-47872 allows enumeration of sensitive data through non-standardized endpoint responses. CVE-2025-46414 involves unencrypted sensitive data transmission. CVE-2025-53520 permits unsigned/unauthenticated firmware installation without integrity verification. CVE-2025-52586 transmits communication between the dongle and server in plaintext. These vulnerabilities allow attackers to intercept and modify critical inverter commands, install malicious firmware, or compromise system integrity if they have network access to the inverter or its management interface.

What this means

What could happen

An attacker with network access could intercept firmware updates, inject malicious code, or capture unencrypted communications between inverters and control servers, potentially leading to unauthorized control of solar/battery system output or shutdown of critical power generation infrastructure.

Who's at risk

Energy providers and facilities using EG4 solar inverters and battery management systems should care. Specifically, EG4 Flex 21, Flex 18, 12kPV, 18kPV, 6000XP, 12000XP, and GridBoss controllers are affected. Anyone relying on these inverters for grid-connected or islanded power systems faces risk.

How it could be exploited

An attacker on the same network or intercepting traffic would intercept unencrypted communications (CVE-2025-52586), enumerate sensitive data through non-standardized responses (CVE-2025-47872), or inject malicious firmware during the update process (CVE-2025-53520). This could allow the attacker to reprogram the inverter to alter power output, disconnect from the grid, or expose control credentials.

Prerequisites

Network access to the inverter or its communication path to the server
Ability to intercept or modify network traffic to/from the inverter
For firmware attacks: access to the firmware update mechanism (typically via connected dongle or network interface)

remotely exploitableno authentication required for data interceptionlow complexity attackno patch available for most productsaffects critical power generation and control systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

7 EOL

ProductAffected VersionsFix Status

EG4 12kPV: vers:all/*All versionsNo fix (EOL)

EG4 18kPV: vers:all/*All versionsNo fix (EOL)

EG4 6000XP: vers:all/*All versionsNo fix (EOL)

EG4 12000XP: vers:all/*All versionsNo fix (EOL)

EG4 GridBoss: vers:all/*All versionsNo fix (EOL)

EG4 Flex 21: vers:all/*All versionsNo fix (EOL)

EG4 Flex 18: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate inverter management networks from business networks and the Internet using network segmentation or firewall rules

HARDENINGIf remote access to inverters is required, implement a VPN with current patches; do not allow direct Internet connectivity to inverter interfaces

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXContact EG4 support (support@eg4electronics.com) to obtain and install the new firmware for CVE-2025-53520 (firmware integrity check) and CVE-2025-52586 (encrypted communication)

WORKAROUNDMonitor for anomalies in inverter status, firmware versions, and performance; report suspected tampering to EG4 support

CVEs (4)

CVE-2025-52586 CVE-2025-53520 CVE-2025-47872 CVE-2025-46414

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eaccddbc-2804-4883-a8c0-c91ca3c6ab63