CVE-2020-25754
Description
An issue was discovered on Enphase Envoy R3.x and D4.x devices. There is a custom PAM module for user authentication that circumvents traditional user authentication. This module uses a password derived from the MD5 hash of the username and serial number. The serial number can be retrieved by an unauthenticated user at /info.xml. Attempts to change the user password via passwd or other tools have no effect.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Enphase Envoy R3.x and D4.x devices have a custom PAM module that uses a predictable password derived from an MD5 hash of username and serial number, which can be obtained unauthenticated.
Vulnerability
The Enphase Envoy devices running firmware R3.x and D4.x include a custom PAM module that bypasses traditional user authentication. Instead, it validates users using a password derived from the MD5 hash of the username and the device's serial number. The serial number can be retrieved by an unauthenticated attacker via the /info.xml endpoint. This affects all Enphase Envoy models with these firmware versions [1].
Exploitation
An unauthenticated attacker can first obtain the device's serial number by accessing http:///info.xml. Then, knowing the username (e.g., "installer" or default accounts), the attacker can compute the MD5 hash of the concatenation of the username and serial number to derive the password. The attacker can then use this password to gain authenticated access to the device's web interface or other services.
Impact
Successful exploitation allows an attacker to gain unauthorized access to the Envoy device with the same privileges as the legitimate user. This can lead to disclosure of sensitive information such as energy production data, system configuration, and potentially the ability to modify device settings or disrupt monitoring.
Mitigation
Enphase has not released a specific patch as of the publication date. Users are advised to restrict network access to the Envoy devices, ensure they are not exposed to the internet, and monitor for any firmware updates from Enphase. The device is not listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Enphase/Envoydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- enphase.com/en-us/products-and-services/envoy-and-combinermitrex_refsource_MISC
- medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661amitrex_refsource_MISC
- stage2sec.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.