CVE-2025-9696: Critical SunPower PVS6 Bluetooth BLE Flaw (9.4 CVSS)

The SunPower PVS6 fleet has been publicly flagged as critically vulnerable after CISA published an advisory (ICSA-25-245-03) describing a Bluetooth Low Energy (BluetoothLE) servicing interface that embeds hard‑coded encryption parameters and exposed protocol details—weaknesses that let an attacker in Bluetooth range gain full servicing access to the inverter. The flaw is tracked as CVE‑2025‑9696, carries a CVSS v4 base score of 9.4, and affects PVS6 units running firmware 2025.06 build 61839 and prior. This is not theoretical: successful misuse can permit firmware replacement, disabling power production, creating SSH tunnels, altering firewall and grid settings, and direct manipulation of attached devices—effects that put energy-sector operators and service techs squarely in the risk crosshairs. (cisa.gov, tenable.com)

---

Background / Overview​

SunPower’s PVS6 is a residential and small‑commercial string inverter deployed worldwide in solar installations. The recently disclosed issue is categorized as Use of Hard‑Coded Credentials (CWE‑798) and specifically concerns the inverter’s BluetoothLE servicing channel—an adjacent‑network interface by design. Because BluetoothLE operates over local wireless range rather than the public internet, the vulnerability has a particular operational profile: it’s exploitable in proximity (adjacent network) with low attack complexity, but is not—per the advisory—exploitable purely over the internet without local access or proximity. (cisa.gov)
Two independent vulnerability aggregators and security trackers corroborate the CISA advisory’s core findings, echoing the CVE assignment and the high severity ratings (CVSS v4: 9.4). These independent listings reaffirm the technical summary: hard‑coded cryptographic material and public protocol detail disclosure on the Bluetooth interface create a direct path to servicing‑level control. (tenable.com, cvedetails.com)

---

What CISA reported (quick facts)​

• Affected product: SunPower PVS6.
• Affected versions: 2025.06 build 61839 and prior. (cisa.gov)
• Vulnerability: Hard‑coded encryption parameters / Use of hard‑coded credentials (CWE‑798) exposed via BluetoothLE servicing interface. (cisa.gov)
• CVE: CVE‑2025‑9696. (cisa.gov)
• Severity: CVSS v4 base score 9.4 (critical); also reported CVSS v3.1 base score 9.6 in the advisory’s scoring. (cisa.gov, tenable.com)
• Exploitability: Adjacent network / low attack complexity (Bluetooth range). CISA notes no known public exploitation at time of publication and classifies the issue as not remotely exploitable over the internet alone. This proximity‑based threat model creates different operational mitigations than an internet‑facing remote exploit. (cisa.gov)

---

Technical analysis: why this is dangerous​

BluetoothLE as a servicing vector​

BluetoothLE is frequently used by installers and service technicians to access device servicing menus, run diagnostics, or apply local settings. When a provisioning or servicing channel exposes fixed cryptographic parameters or predictable secrets, the interface effectively becomes a backdoor that bypasses normal administrative controls.

• Hard‑coded encryption parameters mean an attacker can derive or replicate the session/protocol keys necessary to decrypt, authenticate, or emulate a legitimate servicing session.
• Public protocol details combined with fixed parameters make practical attack development far easier: the adversary does not need to reverse‑engineer the entire stack to interact with servicing APIs. (cisa.gov)

Attack surface and potential actions​

Once an attacker achieves servicing access, the advisory highlights an extensive list of high‑impact actions that become feasible:

• Replace device firmware (persistence and supply‑chain style compromise).
• Disable or alter power production (availability impact to energy supply).
• Modify grid interconnection settings (safety and regulatory impact).
• Create SSH tunnels or alter firewall settings (network pivoting).
• Manipulate attached devices or connected systems (lateral movement into building or energy management networks). (cisa.gov)

These actions go beyond data theft: they can directly impact the physical delivery and safety of energy systems, making this vulnerability an ICS/OT (industrial control systems / operational technology) risk as well as an IoT security incident.

Scoring and what the numbers mean​

CISA calculated and posted both CVSS v3.1 and CVSS v4 vectors; the v4 base score (9.4) reflects the following features in the vector: adjacent attack vector, low attack complexity, no required privileges or user interaction, and high impacts across confidentiality, integrity, and availability—consistent with an attacker able to overwrite firmware or disable power outputs. External trackers and CVE aggregators independently display the same high‑severity assessments, demonstrating community consensus on the risk profile. (cisa.gov, cvedetails.com)

---

Cross‑checking and verification​

Key technical claims in the CISA advisory (affected version, CWE classification, CVE assignment, CVSS vectors, and the adjacent BluetoothLE attack vector) are corroborated by independent repositories and security databases. For example, Tenable’s vulnerability entry and CVE‑details mirrors the description and scoring, and lists CISA’s advisory as the primary reference; this gives additional assurance that CISA’s public advisory is the authoritative reference and that security tooling vendors have already begun mapping the CVE into feeds and scanners. These multiple sources independently confirm the facts CISA published. (tenable.com, cvedetails.com)
Caveat: public exploit code and active exploitation reports were not noted by CISA at the time the advisory was released. That absence reduces, but does not eliminate, immediate urgency for emergency containment—because weaponization can happen quickly once details are public. Treat the "no known exploitation" statement as time‑sensitive and monitor vendor and CISA channels closely. (cisa.gov)

---

Vendor coordination and disclosure timeline​

CISA’s advisory explicitly states SunPower did not respond to coordination attempts prior to publication. That lack of vendor engagement is significant for operational teams: it means there may be no vendor patch or official mitigation at time of disclosure, and users must rely on compensating controls and CISA’s recommended mitigations until SunPower issues firmware updates and guidance. The advisory lists September 2, 2025 as the initial publication date and credits researcher Dagan Henderson for reporting. (cisa.gov)
Because SunPower did not coordinate, operators should be particularly cautious about vendor‑provided patch availability and authenticity: if a vendor later issues a fix, verify official channels (signed firmware images, checksums, vendor advisory text) before applying updates.

---

Practical mitigations for operators and integrators​

CISA provides standard ICS hardening recommendations; those are the baseline. Below is a prioritized, operational checklist tailored for SunPower PVS6 operators and service teams.

Immediate (0–24 hours) — containment and exposure reduction​

• Disable Bluetooth/adjacent servicing interfaces where operationally feasible. If a unit doesn’t require onsite Bluetooth servicing, turn the interface off in device settings or via local policy.
• Enforce physical separation: restrict device access to locked equipment rooms and restrict who may approach inverters physically.
• Detect and block nearby Bluetooth scanning during maintenance windows: reduce discoverability and place devices in “non‑discoverable” mode if supported.
• Inventory affected units: identify PVS6 units and log firmware versions; prioritize units running 2025.06 build 61839 or earlier for mitigation. (cisa.gov)

Short term (24–72 hours) — network and operational compensations​

• Place PVS6 units behind strict network segmentation and firewall rules; ensure any maintenance endpoints are on supervised OT subnets with minimal routing to the enterprise.
• Mandate that remote maintenance uses authenticated, monitored jump hosts or secure provisioning workstations—avoid ad‑hoc Bluetooth provisioning from personal phones or unverified laptops.
• Harden and audit management accounts: rotate service/installer credentials, enable multi‑factor authentication where supported, and remove any default or unused accounts.

CISA’s guidance to minimize network exposure and to isolate control systems from business networks is directly applicable here; operators should treat Bluetooth as an adjacent but powerful attack vector and assume that local access can lead to network pivots if network segmentation is weak. (cisa.gov)

Medium term (days–weeks) — monitoring, patches, and process​

• Monitor vendor channels for an official SunPower firmware update or mitigation advisory. When a patch is released, obtain it only from official vendor distribution channels and validate digital signatures and checksums.
• Implement logging and anomaly detection on the OT and gateway levels: look for firmware update attempts, unexpected SSH sessions, or unusual outbound tunnels from inverter management endpoints.
• Test updates in staging: firmware changes to inverters can affect power behavior—validate updates in a lab or controlled environment before fleet rollout.
• Supply‑chain and maintenance procedure review: require signed maintenance manifests and authenticated tooling for servicing.

---

Detection and incident response guidance​

• Add indicators of compromise (IOCs) aligned to the advisory: unusual provisioning sessions, Bluetooth pairing attempts outside scheduled maintenance, firmware update requests from unknown sources, or new listening SSH tunnels from inverter IPs.
• For suspected compromise: immediately isolate the affected inverter (network and, where safe, power control), preserve forensic logs and local console outputs, and contact CISA (or national incident response resource) as CISA requests in their advisory. (cisa.gov)

If an attacker replaced firmware, treat the device as compromised: do not depend on local device assurances; rebuild from vendor‑signed images, validate cryptographic signatures, and consider a physical exchange or controlled reprovisioning.

---

For Windows and IT administrators: bridging IT/OT risk​

Many Windows‑centric teams will see this advisory through the lens of enterprise security operations. Key items for Windows admins and SOC teams:

• Ensure that Windows jump hosts and workstations used for inverter servicing are hardened, fully patched, and not used for general internet browsing or personal email. An attacker who compromises a Windows laptop used for local Bluetooth provisioning can use that machine as a bridge into OT systems.
• Enroll PVS6 management interfaces in network monitoring—collect logs into the SIEM and correlate SSH, firewall, and device management events.
• Apply zero‑trust principles to remote maintenance: no direct connections from enterprise workstations into OT gear without MFA and inspection.
• Coordinate with procurement and facilities for physical security of inverter access points—Windows admins can help enforce access control logs and integrated badge access.

These steps reduce the likelihood that local Bluetooth compromise becomes a broad enterprise pivot.

---

Risk assessment: who is most at risk​

• Installations with PVS6 units in publicly accessible or lightly protected locations (e.g., rooftop arrays with easy rooftop access, or inverters in unlocked service closets) are highest risk.
• Sites where local Bluetooth provisioning is commonly performed with unvetted devices (personal phones, contractor laptops) increase exposure.
• Organizations with weak segmentation between OT and enterprise networks are at risk of lateral movement following a local compromise. (cisa.gov)

---

Strengths and weaknesses of the advisory and current public posture​

CISA’s advisory is concise and operational: it identifies the affected firmware, the CWE classification, assigns the CVE, and publishes both CVSS v3.1 and v4 vectors—useful for risk scoring and security tooling. The advisory also includes immediate mitigation suggestions that mirror tried‑and‑true ICS recommendations: isolate control networks, minimize exposure, and use secure remote access with caution. (cisa.gov)
Weaknesses in the current public posture are primarily procedural: SunPower’s non‑response to coordination requests leaves operators without an official vendor patch or remediation timeline. That gap forces administrators to rely on compensating controls and detection while waiting for a vendor remedy—an uncomfortable posture for critical‑infrastructure operators.

---

What to watch for next (threat intelligence and operational follow‑up)​

• Official SunPower advisory or firmware release: verify authenticity and apply in staged fashion.
• Public exploit code or proof‑of‑concepts appearing in the wild—if weaponized code is published, the threat profile escalates rapidly. Monitor CVE feeds and your vulnerability scanners; Tenable and other vendors have already added entries mapping CVE‑2025‑9696 to their products. (tenable.com, cvedetails.com)
• Reported incidents: if operators start reporting firmware tampering or unexplained power interruptions coincident with local Bluetooth activity, treat these as possible exploitation attempts and follow incident response playbooks.

---

Recommended checklist for operators (summary)​

• Disable or secure Bluetooth servicing when not needed.
• Inventory all PVS6 units and record firmware builds; prioritize those on 2025.06 build 61839 or earlier. (cisa.gov)
• Segment OT networks; limit routes between inverter management and enterprise networks.
• Require hardened, vendor‑approved provisioning devices and unique authenticated access for installers/technicians.
• Monitor logs for firmware updates and anomalous SSH/firewall changes.
• Validate any vendor firmware via signed images and checksums.
• Prepare incident response playbooks and maintain a secure, auditable chain of custody for any forensic artifacts.

---

Conclusion​

CVE‑2025‑9696 is a high‑consequence vulnerability because it maps a proximity‑based wireless channel—a routine installer/service interface—directly to servicing privileges that can change firmware and control power behavior. The risk is compounded by SunPower’s non‑response during coordinated disclosure, leaving operators to implement defensive controls without a vendor patch in hand. CISA’s advisory provides a clear set of immediate mitigations and an authoritative description of the risk; independent security trackers have already echoed the severity and CVE mapping, enabling organizations to prioritize and scan their fleets promptly. Operators should move quickly to inventory affected units, minimize Bluetooth servicing exposure, strengthen segmentation, and prepare to apply vendor firmware only after validating its provenance. Monitor official channels for patches and be prepared to escalate to incident response if unusual device behavior appears—because in energy environments, cybersecurity failures can translate directly into operational and safety failures. (cisa.gov, tenable.com, cvedetails.com)

---

(If any technical specifics or operational recommendations depend on local policy or vendor guidance, perform an impact analysis and coordinate with SunPower or authorized service partners before making changes that could affect grid interconnection or warranty obligations.)

---

Source: CISA SunPower PVS6 | CISA