The SunPower PVS6 fleet has been publicly flagged as critically vulnerable after CISA published an advisory (ICSA-25-245-03) describing a Bluetooth Low Energy (BluetoothLE) servicing interface that embeds hard‑coded encryption parameters and exposed protocol details—weaknesses that let an attacker in Bluetooth range gain full servicing access to the inverter. The flaw is tracked as CVE‑2025‑9696, carries a CVSS v4 base score of 9.4, and affects PVS6 units running firmware 2025.06 build 61839 and prior. This is not theoretical: successful misuse can permit firmware replacement, disabling power production, creating SSH tunnels, altering firewall and grid settings, and direct manipulation of attached devices—effects that put energy-sector operators and service techs squarely in the risk crosshairs. (cisa.gov, 104909[/ATTACH]Background / Overview[/HEADING]
SunPower’s PVS6 is a residential and small‑commercial string inverter deployed worldwide in solar installations. The recently disclosed issue is categorized as Use of Hard‑Coded Credentials (CWE‑798) and specifically concerns the inverter’s BluetoothLE servicing channel—an adjacent‑network interface by design. Because BluetoothLE operates over local wireless range rather than the public internet, the vulnerability has a particular operational profile: it’s exploitable in proximity (adjacent network) with low attack complexity, but is not—per the advisory—exploitable purely over the internet without local access or proximity. Two independent vulnerability aggregators and security trackers corroborate the CISA advisory’s core findings, echoing the CVE assignment and the high severity ratings (CVSS v4: 9.4). These independent listings reaffirm the technical summary: hard‑coded cryptographic material and public protocol detail disclosure on the Bluetooth interface create a direct path to servicing‑level control. ([url="]tenable.com[/url], [url="]cvedetails.com)
SunPower’s PVS6 is a residential and small‑commercial string inverter deployed worldwide in solar installations. The recently disclosed issue is categorized as Use of Hard‑Coded Credentials (CWE‑798) and specifically concerns the inverter’s BluetoothLE servicing channel—an adjacent‑network interface by design. Because BluetoothLE operates over local wireless range rather than the public internet, the vulnerability has a particular operational profile: it’s exploitable in proximity (adjacent network) with low attack complexity, but is not—per the advisory—exploitable purely over the internet without local access or proximity. Two independent vulnerability aggregators and security trackers corroborate the CISA advisory’s core findings, echoing the CVE assignment and the high severity ratings (CVSS v4: 9.4). These independent listings reaffirm the technical summary: hard‑coded cryptographic material and public protocol detail disclosure on the Bluetooth interface create a direct path to servicing‑level control. ([url="]tenable.com[/url], [url="]cvedetails.com)
What CISA reported (quick facts)
- Affected product: SunPower PVS6.
- Affected versions: 2025.06 build 61839 and prior.
- Vulnerability: Hard‑coded encryption parameters / Use of hard‑coded credentials (CWE‑798) exposed via BluetoothLE servicing interface.
- CVE: CVE‑2025‑9696.
- Severity: CVSS v4 base score 9.4 (critical); also reported CVSS v3.1 base score 9.6 in the advisory’s scoring. (cisa.gov, cisa.gov, tenable.com, tenable.com, cisa.gov, cvedetails.com)
(If any technical specifics or operational recommendations depend on local policy or vendor guidance, perform an impact analysis and coordinate with SunPower or authorized service partners before making changes that could affect grid interconnection or warranty obligations.
Source: CISA SunPower PVS6 | CISA
