CISA flags Siemens KACO inverter credential derivation flaw
Serial-number-derived service credentials are not a patch-management nuisance; they are an authentication design failure sitting in the field.
TL;DR
CISA disclosed two Siemens KACO blueplanet inverter flaws across more than 25 models: CVE-2025-40946, an 8.3 CVSS credential-derivation issue, and CVE-2026-41125, a 6.0 SQL injection in KACO Meteor server. Energy operators, primes, contractors, managed service providers, and defense-industrial-base organizations maintaining these devices should update eligible models to V3.91 or V6.1.4.9 and apply segmentation and access controls where fixes are unavailable. The ugly part is the patch map: KACO lists fixes for several products, but “no fix planned” or “no fix available” for others.
CISA’s Siemens KACO blueplanet advisory is the kind of industrial-control-system notice that looks routine until the authentication scheme shows up. CVE-2025-40946 lets an attacker derive Technical Service credentials from a device serial number using a CRC16-based algorithm and then use those credentials for unauthorized access. That is not merely a weak password policy. It is a predictable credential factory attached to deployed solar inverters.
The second issue, CVE-2026-41125, is an SQL injection in KACO Meteor server that allows an authorized attacker to elevate privileges over a local network. Siemens assigns the credential flaw a CVSS v3.1 score of 8.3 and the SQL injection a 6.0. The affected list spans KACO blueplanet TL3, GEN2, NX, gridsafe, and hybrid inverter families, with deployment in the energy sector worldwide.
The operational answer is uneven. KACO new energy has released V3.91 or later for some gridsafe models and V6.1.4.9 or later for several GEN2 models through its customer portal, and says it is preparing further fixes. For other listed products, the advisory says no fix is planned or no fix is currently available. That leaves asset owners with the familiar OT residue: inventory the exact inverter family and firmware, patch where Siemens provides a version, and treat the rest as a compensating-controls problem rather than a scheduled maintenance item.
For critical power operators, primes, contractors, managed service providers, and defense-industrial-base organizations touching solar generation environments, the Monday work is not subtle. Confirm whether KACO blueplanet assets are reachable from business networks or remote-access paths, restrict control-system exposure, put the devices behind firewalls and segmentation, and update VPN and remote-access infrastructure before relying on it as the boundary. A serial number should not be enough material to mint service credentials. Where the installed base cannot be fixed yet, the network has to carry the control that the device design did not.
Published ·Deep Fathom