Executive Summary
KACO blueplanet inverters derive device credentials from the serial number, which means an attacker who knows or guesses the serial can compute working login credentials and gain unauthorized access. The physical criticality is direct: inverter access permits manipulation of power conversion parameters, remote shutdown, and configuration tampering across distributed solar generation assets.
Technical Exposure Breakdown
CVE-2025-40946 is rated CVSS 8.3 and stems from a credential generation scheme that ties authentication secrets to the device serial number. Serial numbers are not secrets. They are printed on chassis labels, logged in commissioning documents, exposed in maintenance portals, and frequently broadcast or queryable over management interfaces. When a credential is a deterministic function of a low-entropy, semi-public identifier, the authentication boundary collapses.
The attack vector does not require an authenticated session to begin. An attacker who obtains the serial number, whether through physical inspection, photographs, asset inventories, or network enumeration, can derive the credential offline and then authenticate as a legitimate user. If the management interface is reachable across an aggregation network or a poorly segmented field network, this becomes a remote attack with no brute force noise and no failed login telemetry to trip detection.
The condition that makes this severe in solar deployments is scale. Utility and commercial PV sites field dozens to hundreds of inverters from the same product family, often sharing a credential derivation logic. Compromise of the algorithm is a compromise of the fleet, not a single device. Serial ranges are frequently sequential, which means an attacker who confirms the derivation method against one unit can predict credentials for adjacent units.
OT Impact and Compliance Risk
Inverters are the control surface between DC generation and the AC grid. Unauthorized access permits setpoint manipulation, curtailment, premature trip, firmware tampering, and disablement of protective functions. At fleet scale, coordinated inverter shutdown is a grid-stability event, not a maintenance inconvenience. Manipulation of reactive power and frequency response parameters can degrade interconnection compliance and stress upstream protection.
For IEC 62443, this defect violates foundational requirements around identification and authentication control (FR 1) and the principle that authentication secrets must carry adequate entropy independent of public identifiers. For NERC CIP registered entities operating bulk electric system connected generation, devices reachable with derivable credentials undermine CIP-005 electronic security perimeter assumptions and CIP-007 system security management for access controls. Distributed and behind-the-meter solar may sit outside NERC scope but remains exposed to the same operational risk. Operators should treat any inventory of these inverters as having shared, computable credentials until patched.
Compensating Controls
Do not rely solely on the vendor update, and recognize that some affected products do not yet have fixes available. Active scanning of inverter management interfaces can disrupt or brick field devices, so enumerate from passive traffic capture and engineering records rather than aggressive probing.
- Isolate management interfaces. Place inverter administration on a dedicated VLAN or physical segment with no route to corporate IT or internet. The credential weakness only matters if the attacker can reach the authentication endpoint.
- Enforce explicit allowlisting. Restrict access to inverter management ports to named engineering workstations and SCADA front ends by source IP and MAC, denying all else by default.
- Virtual patch the authentication path. Where the management protocol is inspectable, deploy a Suricata rule concept that alerts on authentication attempts to inverter management ports originating from any source outside the approved engineering segment, and on rapid sequential access attempts across multiple inverter serials, which signals fleet-wide credential derivation in progress.
- Rotate credentials where the firmware permits manual override. If the device allows setting a non-derived password, do so on every unit and remove reliance on the default scheme.
- Treat serial numbers as sensitive. Restrict access to asset inventories, commissioning records, and physical labels that expose serial ranges.
BreachSpider Intel tracks credential-derivation defects and KEV program activity across 25,000+ ICS CVEs so OT teams can monitor exposure of inverter fleets and other field assets in near real time.