Siemens KACO Blueplanet Inverters Plagued by Credential Derivation and SQL Injection Flaws
Multiple vulnerabilities in Siemens KACO Blueplanet inverters could allow attackers to derive credentials and escalate privileges, impacting critical energy infrastructure.
Siemens has issued a warning regarding several critical vulnerabilities affecting its KACO Blueplanet series of inverters, devices crucial for energy management and grid stability. The advisory highlights two primary flaws: one that allows attackers to derive sensitive credentials from device serial numbers and another that enables privilege escalation through SQL injection.
The first vulnerability, identified as CVE-2025-40946, leverages a weakness in a CRC16-based algorithm used for generating Technical Service credentials. Attackers can exploit this by obtaining the device's serial number, which is often publicly accessible or easily obtainable, to then calculate the hardcoded cryptographic key. This allows them to derive valid credentials, granting them unauthorized access to the inverter's systems. The CVSSv3 score for this vulnerability is a high 8.3, reflecting its significant potential for impact.
Adding to the security concerns, CVE-2026-41125 is an SQL injection vulnerability present in the KACO Meteor server component of the affected inverters. This flaw, rated as medium severity with a CVSSv3 score of 6, could allow an authenticated attacker on a local network to inject malicious SQL commands. Successful exploitation could lead to privilege escalation, potentially giving an attacker elevated control over the inverter's functions and data.
These vulnerabilities affect a wide range of Siemens KACO Blueplanet inverter models, including various NX3, TL3, and gridsafe series, deployed globally. The extensive list of affected product versions underscores the broad potential impact across the energy sector, a critical infrastructure domain.
Siemens KACO new energy GmbH has begun addressing these issues by releasing updated versions for some of the affected products. Specific fixes include updates to V3.91 or later for certain grid-safe models and V6.1.4.9 or later for other TL3 GEN2 variants. However, the advisory notes that for some products, fixes are not yet available, and Siemens is preparing further patch releases.
For devices where immediate fixes are not available, Siemens recommends implementing specific countermeasures. While the exact nature of these countermeasures is not detailed in the advisory, they typically involve network segmentation, access control, and enhanced monitoring to limit the attack surface and detect malicious activity.
The disclosure of these vulnerabilities by CISA and Siemens highlights the ongoing cybersecurity challenges facing the operational technology (OT) and industrial control systems (ICS) sectors. The ability to derive credentials and execute arbitrary commands on critical infrastructure components like solar inverters poses a significant risk to grid stability and energy supply.
Operators of critical power systems are urged to consult the detailed advisory and apply the recommended updates and mitigations promptly. The vulnerabilities underscore the importance of robust security practices, including regular patching, network security, and continuous monitoring, to protect industrial control systems from evolving cyber threats.