Full Report
KACO blueplanet Inverters contain multiple vulnerabilities that could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access. KACO new energy GmbH has released new versions for several affected products and recommends to update to the latest versions. KACO new energy GmbH is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Weak Credential Generation and SQL Injection in KACO Blueplanet Inverters
## CVE Details
- **CVE ID:** CVE-2025-40946
- **CVSS Score:** 8.3 (High) / CVSS v4.0: 7.2
- **CWE:** CWE-321: Use of Hard-coded Cryptographic Key
- **CVE ID:** CVE-2026-41125
- **CVSS Score:** 6.0 (Medium) / CVSS v4.0: 5.9
- **CWE:** CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
## Affected Systems
- **Products:** KACO blueplanet Inverter series (3.0 TL3 to 125 NX3 M11), including GEN2 models.
- **Versions:**
- **CVE-2025-40946:** Multiple models; GEN2 models are vulnerable in versions prior to V6.1.4.9.
- **CVE-2026-41125:** Affects blueplanet 87.0 TL3 through 125 NX3 M11 models.
- **Configurations:** Devices exposed to the local/adjacent network.
## Vulnerability Description
- **CVE-2025-40946:** The devices utilize a CRC16-based algorithm to generate Technical Service credentials. Because the algorithm relies on the device's serial number, an attacker can derive the password and gain unauthorized administrative access.
- **CVE-2026-41125:** An SQL injection vulnerability exists in the KACO Meteor server. This allow an authenticated attacker to execute malicious SQL commands to escalate privileges.
## Exploitation
- **Status:** PoC availability and exploitation status not explicitly detailed in the advisory, but disclosed via coordinated research.
- **Complexity:**
- **CVE-2025-40946:** Low
- **CVE-2026-41125:** High
- **Attack Vector:** Adjacent (requires access to the local network or the network segment where the inverter resides).
## Impact
- **Confidentiality:** Low (Access to device settings/data).
- **Integrity:** High (Potential to modify grid-critical settings or inverter performance).
- **Availability:** High (Potential to disrupt power conversion or shut down the unit).
## Remediation
### Patches
- **GEN2 Models (87.0 TL3, 92.0 TL3, 100 TL3, 105 TL3):** Update to version **V6.1.4.9** or later.
- **Other Models:** Currently, no fix is available or planned for several older models (e.g., 3.0 TL3-60.0 TL3). Users should monitor the KACO portal for updates.
### Workarounds
- Protect network access to the inverters with appropriate security mechanisms (e.g., Firewalls, VLAN segmentation).
- Ensure the devices are not accessible via the public internet.
- Use VPNs for remote maintenance/access to the local network.
## Detection
- **Indicators of Compromise:** Unusual log entries involving Technical Service logins or unexpected changes to inverter configuration.
- **Detection methods:** Network traffic analysis for SQL injection patterns and monitoring for unauthorized administrative access from unknown MAC/IP addresses.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-545643.html
- **Support Portal:** hxxps://kaco-newenergy[.]com/service/mykacocom-customer-portal
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories