Critical Bluetooth vulnerability reported in SunPower Solar Inverters
Take action: If you have SunPower PVS6 inverters, review the advisory and if not actively needed disable their Bluetooth interface when not actively servicing. Implement strong physical security around the devices since attackers can take control from up to 170 feet away. Make sure that the wired connections are isolated from the internet. Use VPN-based wired connections instead of Bluetooth for remote management.
Learn More
A critical unpatched flaw is reported in SunPower PVS6 photovoltaic inverters.
The vulnerability is tracked as CVE-2025-9696 (CVSS score 9.4) - Use of Hard-Coded Credentials - caused by SunPower's implementation of hard-coded encryption parameters and publicly accessible protocol details within the Bluetooth Low Energy (BLE) servicing interface of the PVS6 inverters.
Attackers positioned within Bluetooth range—approximately 50 to 170 feet depending on conditions can bypass authentication mechanisms entirely and gain unauthorized access to critical device functions without credentials or user interaction. Once an attacker gains access to the management interface, they can perform firmware replacement, disable power production, modify grid settings, create unauthorized SSH tunnels, alter firewall settings, and manipulate connected devices.
All PVS6 units running firmware version 2025.06 build 61839 and earlier are confirmed vulnerable to this exploit.
SunPower did not respond to CISA's attempts to coordinate disclosure of these security flaws.
CISA strongly recommends that organizations should isolate inverter servicing networks and implement strict physical security given the proximity-based nature of the attack. If possible, organizations should disable the BLE interface when remote servicing is not actively required.
For environments where remote management capabilities are required, they should be implemented via wired network through VPN instead of Bluetooth.
