SSA-545643: Multiple Vulnerabilities in KACO Blueplanet Inverters

HIGH

CVSS 8.3

Date 2026-05-29T00:00:00+00:00

Source siemens-productcert

Published by Siemens ProductCERT

// Description

KACO blueplanet Inverters contain multiple vulnerabilities that could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access. KACO new energy GmbH has released new versions for several affected products and recommends to update to the latest versions. KACO new energy GmbH is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

// Vulnerabilities (2)

CVE ID	CVSS Score	Severity	Description
CVE-2025-40946	8.3	high	CVE-2025-40946. A CRC16-based algorithm for generating Technical Service credentials could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access.
CVE-2026-41125	6.0	medium	CVE-2026-41125. Improper neutralization of special elements used in an sql command ('sql injection') in KACO Meteor server allows an authorized attacker to elevate privileges over a local network.

// Remediations (2)

Patch: Update to V3.91 or later version

Update to V3.91 or later version

Patch: Update to V6.1.4.9 or later version

Update to V6.1.4.9 or later version

// References

Siemens ProductCERT SSA-545643
Siemens ProductCERT https://cert-portal.siemens.com/productcert/html/ssa-545643.html
Siemens ProductCERT https://cert-portal.siemens.com/productcert/csaf/ssa-545643.json