CVE-2026-8072

Vulnerability

CVE-2026-8072, with a CVSS v4.0 score of 9.2, affects the Ingecon Sun EMS Board, a device providing connectivity, monitoring, and remote management for solar inverters. The issue stems from insecure generation of credentials for the local SAT (Technical Support) access functionality, where secret credentials were produced using a weak hashing algorithm instead of a secure cryptographic scheme, enabling an attacker to escalate privileges [1].

To exploit this vulnerability, an attacker would need network access to the affected device. The CVSS vector indicates that the attack complexity is high, no privileges are required, and no user interaction is needed, though the attack requires network access [1]. The weak credential generation could allow an attacker to derive or bypass the SAT access credentials, leading to privilege escalation within the device's management interface.

Successful exploitation could grant an attacker high-level access to the EMS Board, potentially allowing manipulation of solar inverter monitoring and management functions, which could impact the power grid at large scale, as referenced in a practical analysis of cyber-physical attacks against solar photovoltaic generation [2].

The vendor has released patches for all affected firmware versions. Users should update to specific patched versions as listed in the advisory, such as AAX1055CU for version AAX1055CT, to mitigate the risk [1].