KACO Blueplanet Inverters CRC16-Based Credential Derivation Vulnerability

A vulnerability exists in multiple KACO blueplanet inverter models, all versions, and certain models in versions prior to 6.1.4.9. This vulnerability allows an attacker to derive Technical Service credentials using a CRC16-based algorithm, exploiting the devices' serial numbers. The derived credentials could be misused to gain unauthorized access to the devices.

Impact

Exploitation of this vulnerability could lead to unauthorized access on the affected devices, allowing for potential misuse of the gained access rights.

Remediation

KACO new energy GmbH has released updates for several affected products. For those products where no fix is currently available, KACO new energy GmbH recommends implementing appropriate security measures and following general security recommendations. Operators should validate any security updates before application and supervise the update process. Recommended security guidelines can be found on the Siemens Grid Security website.