CISA Warns of Critical Flaw in SunPower Solar Inverters (CVE-2025-9696, CVSS 9.6)

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory highlighting a critical vulnerability in SunPower PVS6 solar inverters that could allow attackers to gain full control of affected devices. Tracked as CVE-2025-9696 and rated CVSS 9.6 (Critical), this flaw exposes renewable energy systems to risks of disruption, manipulation, and deeper network compromise.

The flaw stems from hardcoded encryption parameters in the BluetoothLE interface of the PVS6. According to CISA, “The SunPower PVS6’s BluetoothLE interface is vulnerable due to its use of hardcoded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device’s servicing interface.”

Successful exploitation grants adversaries the ability to:

• Replace device firmware
• Disable solar power production
• Modify grid settings
• Create SSH tunnels and alter firewall rules
• Manipulate connected devices

CISA confirmed that the following versions are impacted:

• SunPower PVS6: Versions 2025.06 build 61839 and prior

CISA emphasizes that no public exploitation has been observed yet, but defenders should act proactively. Recommended steps include:

• Minimizing network exposure for all control system devices, ensuring they are not internet-accessible.
• Placing devices behind firewalls and isolating control networks from business networks.
• Using secure VPNs when remote access is required, while keeping them updated and recognizing their own potential vulnerabilities.

CISA directs users to contact SunPower for further information and remediation guidance.

Related Posts:

• Vulnerabilities in Solar Power Systems Threaten Power Grids
• CISA Alert: Critical Flaws Expose EG4 Electronics Inverters to Remote Takeover
• Phishing Scam Alert: McAfee Uncovers a New Android Campaign Impersonating a Government Solar Program
• CISA Alert: Critical Flaws in Tigo Energy Solar Devices Allow Remote Takeover of Solar Systems

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.