SunPower PVS6

Plan PatchCVSS 9.6ICS-CERT ICSA-25-245-03Sep 2, 2025

Energy

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The SunPower PVS6 solar inverter contains a hardcoded credentials vulnerability (CWE-798) that allows unauthenticated attackers with local network access to gain full administrative control of the device. Successful exploitation enables firmware replacement, configuration modification, device disabling, SSH tunnel creation, and manipulation of attached devices. SunPower has not responded to CISA coordination efforts and no patch is planned.

What this means

What could happen

An attacker with physical or local network access to the PVS6 solar inverter could gain complete control of the device, allowing them to modify firmware, change operational settings, disable power output, or create backdoor access—disrupting solar generation and potentially affecting grid stability.

Who's at risk

This vulnerability affects solar power systems using the SunPower PVS6 inverter, which is commonly deployed in utility-scale and commercial solar installations. Any organization operating solar photovoltaic (PV) power generation systems with PVS6 inverters should be concerned, including electric utilities, energy cooperatives, industrial facilities with on-site solar, and commercial property operators.

How it could be exploited

An attacker must be on the same local network segment (LAN) as the PVS6 device. They can then exploit hardcoded credentials (CWE-798) to authenticate to the device and execute arbitrary commands, gaining full administrative control without requiring any additional user interaction.

Prerequisites

Local or LAN-adjacent network access to the PVS6 device (not remotely exploitable from the Internet)
Access to port or interface used for device administration (typically HTTP/HTTPS or SSH)
Knowledge of or access to hardcoded credentials stored on the device

no authentication required (hardcoded credentials)affects critical energy/power generation equipmentno patch available (vendor unresponsive)physical or LAN adjacency required (limits but does not eliminate risk)potential for firmware replacement enabling persistent backdoor access

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

PVS6: <=2025.06_build_61839≤ 2025.06 build 61839No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate the PVS6 inverter and its management network from direct Internet access; place behind a firewall with restrictive inbound rules

WORKAROUNDRestrict network access to the PVS6 management interface to authorized personnel only (e.g., use firewall rules to limit access to specific engineer IP ranges or jump servers)

HARDENINGDisable or restrict remote access capabilities to the PVS6 (SSH tunnels, remote management protocols) unless absolutely required for operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to isolate the solar inverter management network from the main business network and any untrusted networks

HARDENINGMonitor network traffic to and from the PVS6 for unauthorized access attempts or suspicious commands

CVEs (1)

CVE-2025-9696

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6a925408-a48b-4996-a5a9-142d64022dea

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.