Outback Power Mojave Inverter Command Injection Vulnerability

A command injection vulnerability has been identified in the Outback Power Mojave Inverter, which is used in residential grid-connected battery backup systems. This vulnerability allows attackers to inject commands through specially crafted post requests. Additionally, the inverter's use of the GET request method for sensitive information exposes it to unauthorized data access. All versions of the Outback Power Mojave Inverter are affected.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the affected inverter.

Remediation

Users are advised to disable the networking features of the Mojave Inverter until a replacement product can be acquired. CISA recommends taking defensive measures to minimize the risk of exploitation, such as disabling unused functions, minimizing network exposure for control system devices, and using secure remote access methods like virtual private networks (VPNs).