CISA Alert: Critical Flaws Expose EG4 Electronics Inverters to Remote Takeover

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a risk evaluation warning about multiple high-severity vulnerabilities affecting all versions of several EG4 Electronics inverter models, including the EG4 12kPV, 18kPV, Flex 21, Flex 18, 6000XP, 12000XP, and GridBoss. If exploited, these flaws could allow attackers to intercept sensitive data, install malicious firmware, hijack device control, and disrupt power generation.

“Successful exploitation of these vulnerabilities could allow an attacker to intercept and manipulate critical data, install malicious firmware, hijack device access, and gain unauthorized control over the system,” the advisory warns.

The advisory details four major vulnerabilities:

1. Cleartext Transmission of Sensitive Information (CVE-2025-52586, CVSS 7.5)
The MOD3 command traffic between the inverter and its monitoring application is sent in plaintext, without encryption. This allows attackers with local network access to intercept, modify, or replay commands — potentially altering voltage, current, or power settings, resetting the system, or disabling power generation altogether.

2. Download of Code Without Integrity Check (CVE-2025-53520, CVSS 8.6)
EG4 inverters can install firmware updates without verifying their integrity. The firmware archive format (TTComp) is unencrypted and modifiable, allowing malicious actors to inject altered firmware via USB, serial connections, or EG4’s cloud interface — without detection.

3. Observable Discrepancy (CVE-2025-47872, CVSS 6.9)
The public registration API reveals different responses depending on a device’s serial number (S/N) status — whether it’s valid, already registered, or nonexistent. Since S/Ns are sequentially assigned, attackers can enumerate and determine registration details, aiding targeted attacks.

4. Improper Restriction of Excessive Authentication Attempts (CVE-2025-46414, CVSS 9.2)
No rate-limiting exists for PIN authentication on registered devices. If attackers know a valid serial number, they can use brute-force attacks to guess the PIN. This flaw was patched in a server-side update on April 6, 2025, requiring no user action.

EG4 has confirmed it is actively working on fixes, with new hardware expected by October 15, 2025. In the meantime:

• CISA urges restricting network access to inverters.
• Avoid exposing device interfaces to the internet.
• Monitor system logs for suspicious activity.
• Work with EG4 support for case-by-case mitigation.

Related Posts:

• The core technology of Samsung Electronics was leaked
• Vulnerabilities in Solar Power Systems Threaten Power Grids
• Security flaws in critical infrastructure software could have meant disaster
• Blockchain’s Once-Feared 51% Attack is becoming more common