CVE-2025-9696 Overview
CVE-2025-9696 is a critical vulnerability affecting the SunPower PVS6 solar inverter system's BluetoothLE interface. The device uses hardcoded encryption parameters and publicly accessible protocol details, allowing an attacker within Bluetooth range to gain full access to the device's servicing interface. This vulnerability enables severe compromise of solar power infrastructure, including firmware replacement, disabling power production, modifying grid settings, creating SSH tunnels, altering firewall configurations, and manipulating connected devices.
Critical Impact
Attackers within Bluetooth range can achieve complete device takeover, potentially disrupting power production and manipulating grid-connected solar infrastructure through hardcoded credentials in the BluetoothLE servicing interface.
Affected Products
- SunPower PVS6 Solar Inverter System
- SunPower PVS6 BluetoothLE Interface Module
- SunPower PVS6 Firmware Components
Discovery Timeline
- 2025-09-02 - CVE-2025-9696 published to NVD
- 2025-09-04 - Last updated in NVD database
Technical Details for CVE-2025-9696
Vulnerability Analysis
This vulnerability stems from a fundamental security design flaw in the SunPower PVS6's BluetoothLE interface implementation. The device employs hardcoded encryption parameters that are identical across all deployed units, combined with protocol details that are publicly accessible. This creates a scenario where any attacker who can establish Bluetooth proximity to the device can authenticate and gain privileged access to the servicing interface without requiring any prior knowledge of device-specific credentials.
The CWE-798 (Use of Hard-coded Credentials) classification accurately describes this weakness. Once an attacker gains access to the servicing interface, they have extensive control over the device's operation, including the ability to replace firmware with malicious versions, disable power production entirely, modify grid interconnection parameters, establish persistent remote access through SSH tunnels, reconfigure firewall rules, and manipulate any connected devices in the solar installation.
Root Cause
The root cause of CVE-2025-9696 is the use of hardcoded encryption parameters in the BluetoothLE interface implementation. Rather than implementing unique per-device credentials or certificate-based authentication, the SunPower PVS6 uses static, predetermined encryption keys that are shared across the product line. Combined with publicly documented protocol specifications, this allows any attacker with knowledge of these parameters to bypass authentication entirely.
Attack Vector
The attack requires adjacent network proximity, specifically within Bluetooth Low Energy range (typically up to 100 meters in optimal conditions). An attacker would need to:
- Position themselves within BluetoothLE range of a target PVS6 device
- Use the publicly available protocol details to initiate a connection
- Authenticate using the hardcoded encryption parameters
- Access the servicing interface with full administrative privileges
Once connected, the attacker gains complete control over the device without requiring any user interaction or additional authentication. The adjacent network attack vector means that while remote exploitation over the internet is not directly possible, any attacker with physical proximity to deployed solar installations can compromise these systems.
The vulnerability mechanism relies on the static nature of the hardcoded credentials. When the BluetoothLE stack initializes, it uses predetermined encryption keys for establishing secure connections. Since these keys are embedded in the firmware and identical across devices, an attacker who reverse-engineers the protocol can replicate the authentication process. For detailed technical specifications, refer to the CISA ICS Advisory ICSA-25-245-03.
Detection Methods for CVE-2025-9696
Indicators of Compromise
- Unexpected BluetoothLE connection attempts or established connections to PVS6 devices during non-maintenance periods
- Firmware version changes that do not correspond to authorized update schedules
- Modifications to grid settings, firewall rules, or SSH configurations without documented change requests
- Unexplained power production disruptions or device behavior anomalies
- Presence of unauthorized SSH tunnels or unexpected network traffic from PVS6 devices
Detection Strategies
- Monitor BluetoothLE connection logs for unauthorized pairing attempts or connections from unknown devices
- Implement firmware integrity monitoring to detect unauthorized modifications
- Establish baseline configurations and alert on deviations in grid settings, firewall rules, or network configurations
- Deploy network monitoring to identify unexpected outbound connections or SSH tunnel establishment from solar infrastructure
Monitoring Recommendations
- Configure logging for all BluetoothLE connection events on PVS6 devices where supported
- Implement periodic firmware hash verification against known-good values
- Monitor power production metrics for anomalies that may indicate device tampering
- Deploy physical security monitoring around solar installations to detect unauthorized proximity access
How to Mitigate CVE-2025-9696
Immediate Actions Required
- Review the CISA ICS Advisory ICSA-25-245-03 for vendor-specific guidance and available patches
- Implement physical access controls to limit unauthorized proximity to PVS6 devices
- Consider disabling BluetoothLE functionality if not required for operations
- Audit current device configurations and document baseline settings for change detection
Patch Information
Organizations should consult the CISA ICS Advisory ICSA-25-245-03 for the latest vendor patch information and remediation guidance from SunPower. Given the nature of the vulnerability involving hardcoded credentials, a firmware update addressing the cryptographic implementation would be required for complete remediation.
Workarounds
- Disable BluetoothLE interface on PVS6 devices if the functionality is not operationally required
- Implement physical security perimeters to restrict access within Bluetooth range of deployed devices
- Deploy RF shielding or Faraday cage solutions around critical solar installations where feasible
- Establish network segmentation to isolate PVS6 devices and monitor for anomalous traffic patterns
# Configuration example - Physical security and monitoring recommendations
# Note: Specific commands depend on your monitoring infrastructure
# Example: Network segmentation for solar inverter devices
# Isolate PVS6 devices on dedicated VLAN
# Monitor for unexpected outbound connections
# Example: Physical security controls
# - Install tamper-evident seals on device enclosures
# - Deploy motion sensors around solar installations
# - Implement access logging for maintenance personnel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
