CVE-2019-7676

Vulnerability

CVE-2019-7676 is a weak password vulnerability in Enphase Envoy firmware versions R3.*.*. The device exposes TCP port 8888, and a hardcoded or easily guessable admin password can be used to authenticate as the admin account [1]. The specific password and account name are disclosed in public references [1][2][3].

Exploitation

An attacker with network access to the Envoy device can connect to TCP port 8888 and use the disclosed admin credentials to log in [1]. No prior authentication or user interaction is required; the attacker simply needs to be on the same network or have routable access to the device.

Impact

Successful exploitation grants the attacker full administrative access to the Envoy device. This can lead to complete control over the solar energy management system, including the ability to read sensitive data (e.g., energy production information), modify device configuration, or disrupt normal operations [1]. The compromise affects the confidentiality, integrity, and availability of the device and its data.

Mitigation

As of the publication date, no official firmware patch from Enphase has been identified in the available references [1][2][3]. The vendor may have released updates after this research; users should consult Enphase support or the latest firmware release notes. If no patch is available, isolating the device on a separate, firewalled network segment and restricting access to TCP port 8888 can reduce exposure.