CVE-2026-41125: KACO Meteor Server SQLi Vulnerability

CVE-2026-41125 Overview

CVE-2026-41125 is a SQL injection vulnerability in the KACO Meteor server component used by the Siemens blueplanet inverter product family. The flaw stems from improper neutralization of special elements in SQL commands [CWE-89]. An authenticated attacker with high privileges on an adjacent network can manipulate database queries to elevate privileges. The vulnerability affects all versions of more than 30 blueplanet inverter models, including the NX1, NX3, TL3, TL3 GEN2, gridsafe, and hybrid product lines. Siemens published advisory SSA-545643 to track this issue.

Critical Impact

An adjacent-network attacker with valid high-privilege credentials can inject SQL commands to escalate privileges and compromise the integrity and availability of the KACO Meteor server database.

Affected Products

• Siemens blueplanet TL3 and TL3 GEN2 inverter series (all versions, including 87.0, 92.0, 105, 110, 125, 137, 150, 155, 165)
• Siemens blueplanet NX1 and NX3 inverter series (all versions, including 3.0–5.0 NX1, 3.0–20.0 NX3, 25.0–33.0 NX3, 50.0–60.0 NX3, 100 NX3 M8, 125 NX3 M11, 360 NX3 M6)
• Siemens blueplanet gridsafe TL3-S and blueplanet hybrid NH3/TL3 series (all versions)

Discovery Timeline

• 2026-05-12 - CVE-2026-41125 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-41125

Vulnerability Analysis

The vulnerability resides in the KACO Meteor server, a component that supports management and monitoring of Siemens blueplanet photovoltaic inverters. The server fails to properly neutralize special characters supplied in SQL command construction. An attacker who already holds high-privilege credentials can supply crafted input that the server concatenates into a backend SQL query. The injected SQL executes against the underlying database with the privileges of the server process.

Exploitation requires network adjacency, meaning the attacker must reside on the same logical network segment as the KACO Meteor server. This constraint reduces remote exposure but remains relevant in operational technology (OT) environments where flat network topologies are common. Successful exploitation impacts database integrity and availability and enables privilege elevation within the application context.

Root Cause

The root cause is improper input neutralization in SQL statement construction [CWE-89]. User-supplied parameters reach SQL query builders without parameterized binding or strict input validation. This allows special SQL metacharacters to alter query semantics rather than being treated as literal data.

Attack Vector

The attack path requires an authenticated session with high privileges on the KACO Meteor server. The attacker submits malicious input through an application interface that interacts with the database. The server appends the input directly into a SQL command, executing attacker-controlled SQL logic. No user interaction is required beyond the attacker's own session. Technical specifics of the vulnerable parameters are not disclosed in the Siemens advisory SSA-545643. See the Siemens Security Advisory SSA-545643 for vendor-supplied details.

Detection Methods for CVE-2026-41125

Indicators of Compromise

• Unexpected database write or schema modification events originating from KACO Meteor server processes
• Authentication events for high-privilege accounts followed by anomalous SQL query patterns
• Application or database logs containing SQL metacharacters such as single quotes, comment markers, or UNION keywords in parameter fields

Detection Strategies

• Enable verbose query logging on the database backend used by KACO Meteor server and review queries for syntactic anomalies
• Inspect application logs for high-privilege authenticated sessions issuing unusual request patterns from adjacent network hosts
• Correlate inverter management plane traffic with originating endpoints to identify unauthorized administrative actions

Monitoring Recommendations

• Monitor east-west traffic to the KACO Meteor server on OT and field networks for unauthorized connections
• Alert on privilege changes, new account creations, or role assignments within the Meteor server database
• Capture and retain authentication logs to support forensic review of any high-privilege session involved in suspected exploitation

How to Mitigate CVE-2026-41125

Immediate Actions Required

• Review and rotate credentials for all high-privilege KACO Meteor server accounts and remove unused administrative accounts
• Restrict network access to the KACO Meteor server using firewall rules or VLAN segmentation so only authorized engineering workstations can reach it
• Consult Siemens Security Advisory SSA-545643 for the current fix status and apply vendor-supplied updates as soon as they are released

Patch Information

Siemens published advisory SSA-545643 covering this vulnerability. At the time of NVD publication on 2026-05-12, all listed blueplanet product versions are affected. Review the vendor advisory for the most recent patch availability and remediation guidance specific to each model.

Workarounds

• Place the KACO Meteor server behind a dedicated management network and block adjacent-network access from untrusted hosts
• Enforce strong authentication for all administrative accounts and limit the number of accounts with high privileges
• Apply OT network monitoring to detect anomalous SQL traffic and unauthorized database modifications until a vendor patch is applied

# Example firewall rule to restrict access to the KACO Meteor server
# Replace METEOR_HOST and MGMT_SUBNET with site-specific values
iptables -A INPUT -p tcp -d METEOR_HOST --dport 443 -s MGMT_SUBNET -j ACCEPT
iptables -A INPUT -p tcp -d METEOR_HOST --dport 443 -j DROP