CVE-2025-40946
Description
A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 110 TL3 (All versions), blueplanet 125 NX3 M11 (All versions), blueplanet 125 TL3 (All versions), blueplanet 125 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 137 TL3 (All versions), blueplanet 150 TL3 (All versions), blueplanet 150 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 155 TL3 (All versions), blueplanet 155 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 165 TL3 (All versions), blueplanet 165 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 25.0 NX3-33.0 NX3 (All versions), blueplanet 3.0 NX3-20.0 NX3 (All versions), blueplanet 3.0 TL3-60.0 TL3 (All versions), blueplanet 3.0-5.0 NX1 (All versions), blueplanet 360 NX3 M6 (All versions), blueplanet 50.0 NX3-60.0 NX3 (All versions), blueplanet 87.0 TL3 (All versions), blueplanet 87.0 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 92.0 TL3 (All versions), blueplanet 92.0 TL3 GEN2 (All versions < V6.1.4.9), blueplanet gridsafe 110 TL3-S (All versions < V3.91), blueplanet gridsafe 137 TL3-S (All versions < V3.91), blueplanet gridsafe 92.0 TL3-S (All versions < V3.91), blueplanet hybrid 10.0 TL3 (All versions), blueplanet hybrid 6.0 NH3-12.0 NH3 (All versions). A CRC16-based algorithm for generating Technical Service credentials could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CRC16-based credential derivation from serial number allows unauthorized access to KACO blueplanet inverters.
A vulnerability in KACO blueplanet inverters uses a CRC16-based algorithm to generate Technical Service credentials from the device's serial number. This flaw allows an attacker to derive these credentials if they can obtain the serial number, which is often accessible via SNMP or physical inspection [1].
The attack requires knowledge of the serial number but no authentication. An attacker with network access to the device or physical proximity can compute the credentials offline and then use them to gain unauthorized access to the device's configuration and control interfaces [1].
Successful exploitation grants the attacker Technical Service access, enabling manipulation of device settings, firmware updates, or potential disruption of solar energy generation. This could lead to operational downtime or safety risks [1].
KACO new energy GmbH has released firmware updates for several affected product lines (e.g., versions V6.1.4.9 for TL3 GEN2 models and V3.91 for gridsafe series). For some older products, no fix is planned, and users are advised to restrict network access and monitor for unauthorized activity [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.