CVE-2020-25752
Description
An issue was discovered on Enphase Envoy R3.x and D4.x devices. There are hardcoded web-panel login passwords for the installer and Enphase accounts. The passwords for these accounts are hardcoded values derived from the MD5 hash of the username and serial number mixed with some static strings. The serial number can be retrieved by an unauthenticated user at /info.xml. These passwords can be easily calculated by an attacker; users are unable to change these passwords.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hardcoded login passwords in Enphase Envoy R3.x/D4.x devices allow attackers to calculate installer/Enphase credentials from the MD5 hash of username and serial number.
Vulnerability
An issue discovered in Enphase Envoy R3.x and D4.x devices uses hardcoded passwords for the web-panel installer and Enphase accounts [1]. The passwords are derived from an MD5 hash of the username and serial number mixed with static strings. The serial number can be retrieved by an unauthenticated user at /info.xml [1]. Users cannot change these passwords [1].
Exploitation
An attacker can access the serial number via an unauthenticated request to /info.xml [1]. Using the MD5 hash of the username and serial number with known static strings, the attacker can compute the passwords [1]. No authentication or user interaction is required to obtain the serial number [1].
Impact
Successful exploitation grants the attacker access to the Envoy web panel with installer or Enphase account privileges [1]. This allows full system monitoring and management control, potentially compromising the confidentiality and integrity of the solar energy system [1].
Mitigation
As the passwords are hardcoded and users cannot change them, the device is at risk [1]. Enphase has not publicly released a fix for this issue in the available references [1]. Affected users should monitor vendor advisories for firmware updates [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Enphase/Envoydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- enphase.com/en-us/products-and-services/envoy-and-combinermitrex_refsource_MISC
- medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661amitrex_refsource_MISC
- stage2sec.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.