SunPower PVS6 BluetoothLE Interface Vulnerability Allowing Unauthorized Access to Servicing Functions

A vulnerability in the SunPower PVS6 solar inverter's BluetoothLE interface has been identified, stemming from hardcoded encryption parameters and publicly accessible protocol details. This vulnerability allows an attacker within Bluetooth range to gain full access to the device's servicing interface. Affected versions include PVS6: Versions 2025.06 build 61839 and prior. Once exploited, the attacker can replace firmware, disable power production, modify grid settings, create SSH tunnels, alter firewall settings, and manipulate connected devices.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the device, allowing attackers to replace firmware, disrupt power production, modify grid settings, create SSH tunnels, change firewall settings, and manipulate connected devices.

Remediation

SunPower has not responded to CISA's attempt to coordinate on this vulnerability. Users are advised to contact SunPower for more information. CISA recommends minimizing network exposure for control system devices, locating these devices behind firewalls, and using secure remote access methods such as VPNs. Organizations should also follow CISA's recommended practices for ICS cybersecurity.