CVE-2020-25753
Description
An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. The serial number can be retrieved by an unauthenticated user at /info.xml.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Envoy R3.x/D4.x devices have a hardcoded default admin password equal to the last 6 digits of the serial number, which is exposed unauthenticated at /info.xml.
Vulnerability
The default administrative password on Enphase Envoy R3.x and D4.x devices running v3 software is set to the last six digits of the device's serial number [1][2]. The serial number itself can be retrieved by any unauthenticated user who accesses the /info.xml endpoint. This design means that an attacker who learns the serial number (through network scanning or social engineering) can compute the default password with no additional authentication or authorization. Affected versions are those identified as Enphase Envoy R3.x or D4.x with v3 software.
Exploitation
No authentication is required to request the /info.xml file; an attacker only needs network access to the device. By making a GET request to http://<device_ip>/info.xml, the response includes the device's serial number in plain text. The attacker then extracts the last six digits and uses that string as the password for the 'admin' account, typically via the web interface or API endpoints that accept basic authentication. The entire attack chain requires no prior credentials, no user interaction, and no special privileges beyond network connectivity.
Impact
Successful exploitation grants the attacker full administrative access to the Envoy device. With this access, the attacker can read real-time and historical energy production/consumption data, modify device configuration settings, perform over-the-air firmware updates (potentially delivering malicious firmware), and remotely manage the solar and battery system. The compromise also exposes any connected IQ Combiner or IQ Gateway to further attack, and may allow the attacker to pivot into the home network. The confidentiality, integrity, and availability of the energy management system are all at risk.
Mitigation
Enphase has released firmware updates that address this vulnerability; users should update their Envoy devices to the latest available software version via the vendor's update mechanism [1]. If immediate patching is not possible, network administrators should restrict access to the /info.xml endpoint by placing the device behind a firewall or VPN, and change the default administrative password to a strong, unique password as soon as possible. The affected devices are not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing. Users of EOL versions should upgrade to a supported model.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Enphase/Envoydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- enphase.com/en-us/products-and-services/envoy-and-combinermitrex_refsource_MISC
- medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661amitrex_refsource_MISC
- stage2sec.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.