OTPulse

Siemens KACO Blueplanet Inverters

Plan PatchCVSS 8.3ICS-CERT ICSA-26-160-02May 12, 2026
SiemensEnergy
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

KACO blueplanet inverters contain vulnerabilities allowing attackers to derive login credentials from the device's serial number and gain unauthorized access to the inverter. An attacker could then modify power output settings, disable the inverter, or disrupt its grid-tied operation. The vulnerability affects multiple inverter models across different firmware versions. Some models have been patched (TL3 GEN2 series to version 6.1.4.9, gridsafe TL3-S to version 3.91), but many older models (NX3, standard TL3, and some legacy models) have no fixes planned or available.

What this means
What could happen
An attacker with network access to a KACO inverter could derive the device's credentials from the serial number and gain unauthorized access to modify power output settings, disable the inverter, or disrupt grid-tied solar generation. This could interrupt renewable energy supply to your utility grid or affect customer-owned solar installations connected through your network.
Who's at risk
Energy utilities and solar facility operators managing KACO blueplanet grid-tied inverters (particularly 100, 105, 125, 150, 155, 165, and 87/92 kW models). This affects both utility-scale and large distributed solar installations. Facilities relying on these inverters for renewable energy generation and grid stability are most impacted.
How it could be exploited
An attacker on your network discovers an inverter's serial number (visible on the device or via network scanning) and derives login credentials from it using a known algorithm. The attacker then accesses the inverter's web interface or management port with these credentials to execute unauthorized commands or reconfigure the device.
Prerequisites
  • Network access to the inverter (LAN segment where the device is reachable)
  • Ability to obtain or observe the inverter's serial number
  • Access to the inverter's web interface or management interface (typically port 80/443)
remotely exploitablelow complexityno authentication required (credentials derived from serial number)affects multiple product lines with no fix plannedimpacts critical grid infrastructure (renewable energy generation)
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (23)
11 with fix11 pending1 EOL
ProductAffected VersionsFix Status
blueplanet 100 NX3 M8All versionsNo fix yet
blueplanet 100 TL3 GEN2All versions< 6.1.4.9 → 6.1.4.9
blueplanet 105 TL3All versionsNo fix yet
blueplanet 105 TL3 GEN2All versions< 6.1.4.9 → 6.1.4.9
blueplanet 110 TL3All versionsNo fix yet
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDRestrict network access to inverter management interfaces to authorized engineering staff only; disable external internet access to the device if not required for remote monitoring
HARDENINGChange default or derived credentials on all inverters, particularly those with no patch available, and enforce strong passwords
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all blueplanet TL3 GEN2 inverters (100, 105, 125, 150, 155, 165 models) to firmware version 6.1.4.9 or later
HOTFIXUpdate all blueplanet gridsafe TL3-S inverters (92.0, 110, 137 models) to firmware version 3.91 or later
Mitigations - no patch available
0/1
blueplanet 3.0 TL3-60.0 TL3 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment inverters onto a separate VLAN with firewall rules limiting access to only necessary management personnel and monitoring systems
View full CISA ICS-CERT advisory
API: /api/v1/advisories/c36db27c-7345-41f4-8444-f226ec9c46f2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens KACO Blueplanet Inverters | CVSS 8.3 - OTPulse