What security vulnerabilities has EG4 Electronics discovered in its solar inverters?

EG4 Electronics is reporting multiple security vulnerabilities affecting its solar inverters product lines. Four critical vulnerabilities were identified, with CVSS scores ranging from 6.9 to 9.2, affecting authentication, firmware integrity, data transmission, and device reconnaissance capabilities.

What is CVE-2025-46414 and how critical is it?

CVE-2025-46414 has a CVSS score of 9.2, making it critically severe. It's classified as Improper Restriction of Excessive Authentication Attempts, allowing unlimited PIN brute-force attempts for registered devices and enabling unauthorized access through automated attacks.

What are the other significant vulnerabilities in EG4 solar inverters?

CVE-2025-53520 (CVSS 8.6) allows installation of unverified firmware updates that can contain malicious code, CVE-2025-52586 (CVSS 7.5) exposes all MOD3 command traffic in unencrypted plaintext, and CVE-2025-47872 (CVSS 6.9) reveals device registration status through differential server responses, facilitating reconnaissance attacks.

Which EG4 solar inverter models are affected by these vulnerabilities?

The vulnerabilities affect EG4's complete inverter portfolio with all firmware versions, including EG4 12kPV, EG4 18kPV, EG4 Flex 21, EG4 Flex 18, EG4 6000XP, EG4 12000XP, and EG4 GridBoss models.

When will patches be available for the EG4 solar inverter vulnerabilities?

EG4 Electronics is developing remediation measures with new patches expected by October 15, 2025. However, the authentication brute-force vulnerability (CVE-2025-46414) was already fixed through a server-side update deployed on April 6, 2025.

Why is the firmware integrity vulnerability in EG4 inverters concerning?

CVE-2025-53520 (CVSS 8.6) is concerning because it permits installation of unverified firmware updates that can be modified or contain malicious code. This Download of Code Without Integrity Check vulnerability could allow attackers to completely compromise solar inverter systems with malicious firmware.

What makes the cleartext transmission vulnerability dangerous for EG4 systems?

CVE-2025-52586 (CVSS 7.5) exposes all MOD3 command traffic between monitoring applications and inverters in unencrypted plaintext. This Cleartext Transmission of Sensitive Information allows attackers to intercept and potentially manipulate communications with solar inverter systems.

What is the Observable Discrepancy vulnerability in EG4 solar inverters?

CVE-2025-47872 (CVSS 6.9) is an Observable Discrepancy vulnerability that reveals device registration status through differential server responses. This facilitates reconnaissance attacks by allowing attackers to identify and map EG4 inverter installations, potentially enabling targeted attacks.

Advisory

Critical vulnerabilities reported in EG4 electronics solar inverters

Q: Has any of the EG4 solar inverter vulnerabilities already been fixed?

Yes, the authentication brute-force vulnerability (CVE-2025-46414) was already fixed through a server-side update deployed on April 6, 2025, requiring no customer action. This addressed the most critical vulnerability with the CVSS score of 9.2.

published: Aug. 7, 2025

Take action: If you have EG4 solar inverters, make sure they are isolated them from internet access and accessible only from trusted networks or VPN. Then reach out to the vendor for the firmware updates.

Learn More

EG4 Electronics is reporting multiple security vulnerabilities affecting its solar inverters product lines.

Vulnerabilities summary

CVE-2025-46414 (CVSS score 9.2) - Improper Restriction of Excessive Authentication Attempts: Allows unlimited PIN brute-force attempts for registered devices, enabling unauthorized access through automated attacks
CVE-2025-53520 (CVSS score 8.6) - Download of Code Without Integrity Check: Permits installation of unverified firmware updates that can be modified or contain malicious code
CVE-2025-52586 (CVSS score 7.5) - Cleartext Transmission of Sensitive Information: Exposes all MOD3 command traffic between monitoring applications and inverters in unencrypted plaintext
CVE-2025-47872 (CVSS score 6.9) - Observable Discrepancy: Reveals device registration status through differential server responses, facilitating reconnaissance attacks

Affected devices are EG4's complete inverter portfolio, with all firmware versions of these devices

EG4 12kPV,
EG4 18kPV,
EG4 Flex 21,
EG4 Flex 18,
EG4 6000XP,
EG4 12000XP,
EG4 GridBoss models

EG4 Electronics has acknowledged the vulnerabilities and is developing remediation measures, including new patches expected by October 15, 2025. The company is actively monitoring all installed systems and working with affected customers on a case-by-case basis to detect and respond to any anomalous activity.

The authentication brute-force vulnerability (CVE-2025-46414) was already fixed through a server-side update deployed on April 6, 2025, requiring no customer action.

Organizations should ensure that all inverter systems are isolated from internet-accessible networks, deploy firewall protections around control system networks, and implement secure remote access via VPN.

Critical vulnerabilities reported in EG4 electronics solar inverters

Read More
Kaspersky reports multiple flaws including critical inZKTeco biometric …
Rockwell Automation patches critical flaws in ThinManager ThinServer
Critical remote code execution flaw reported in Emerson …
Multiple critical vulnerabilities reported in Schneider Electric Modicon …
Hubitat Patches Critical Authorization Bypass in Elevation Hubs