Enphase Installer Toolkit Android App Use of Hard-coded Credentials

Vulnerability

Enphase Installer Toolkit for Android versions 3.27.0 and prior embed hard-coded credentials directly in the binary code of the application [1]. This vulnerability is classified as CWE-798 (Use of Hard-coded Credentials). The affected product is the Enphase Installer Toolkit Android app, version 3.27.0 [1].

Exploitation

An attacker can exploit this vulnerability remotely with low complexity, requiring no privileges and no user interaction [1]. The attacker can extract the hard-coded credentials from the binary and use them to authenticate to backend services or access sensitive data [1].

Impact

Successful exploitation results in the disclosure of sensitive information [1]. The CVSS v3 base score is 8.6, with a vector string of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating high confidentiality impact and a changed scope [1].

Mitigation

Enphase has released a security update that addresses this vulnerability in the Enphase Installer Toolkit Android App [1]. Users should apply the update as soon as possible. Additionally, CISA recommends minimizing network exposure for control system devices and isolating them from business networks [1].