CVE-2025-40946: KACO new energy Inverter Credential Derivation Flaw

/HIGH /CVSS 8.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-321
CVE-2025-40946: KACO new energy Inverter Credential Derivation Flaw

A critical vulnerability, CVE-2025-40946, has been identified in numerous KACO new energy blueplanet inverter models. According to the National Vulnerability Database, this flaw stems from a CRC16-based algorithm used to generate Technical Service credentials. This predictable algorithm allows an attacker to derive these sensitive credentials directly from a device’s serial number.

This isn’t a theoretical risk; it’s a direct path to unauthorized access. An attacker who obtains a device’s serial number can generate valid service credentials, effectively bypassing authentication. The National Vulnerability Database assigns this a high CVSS score of 8.3, with an ‘Attack Vector: Adjacent’ (AV:A) and ‘Impact: High’ for integrity and availability (I:H/A:H), meaning an attacker merely needs to be on the local network segment. The consequences could range from manipulating power generation to shutting down critical infrastructure.

Defenders operating these inverters need to move fast. This isn’t just about data; it’s about physical control. The attacker’s calculus here is simple: if they can get on the network, they own the device. This vulnerability, categorized as CWE-321 (Improperly Implemented Cryptographic Algorithm), underscores the persistent danger of weak credential generation practices in OT/IoT devices.

What This Means For You

  • If your organization uses any of the affected KACO new energy blueplanet inverter models, you must immediately assess your exposure to CVE-2025-40946. Prioritize network segmentation to isolate these devices from untrusted networks and apply any available patches or workarounds from KACO new energy to mitigate the credential derivation risk. Assume any device with an accessible serial number is compromised if not patched.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1078.004 Credential Access

CVE-2025-40946: KACO new energy Inverter Technical Service Credential Derivation Attempt

Sigma YAML — free preview 
title: CVE-2025-40946: KACO new energy Inverter Technical Service Credential Derivation Attempt
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
  Detects attempts to access the technical service login endpoint on KACO new energy inverters. This rule specifically targets the API path used for technical service login, which is vulnerable to credential derivation attacks based on the device serial number as described in CVE-2025-40946. Successful exploitation allows unauthorized access.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2025-40946/
tags:
  - attack.credential_access
  - attack.t1078.004
logsource:
    category: authentication
detection:
  selection:
      src_ip|exists: 
      dst_ip|exists: 
      dst_port|exact: 
      cs-uri-query|contains:
          - '/api/v1/technical_service/login'
      cs-method|exact: 
          - 'POST'
      sc-status|exact: 
          - '200'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2025-40946 Auth Bypass blueplanet 100 NX3 M8 (All versions)
CVE-2025-40946 Auth Bypass blueplanet 100 TL3 GEN2 (All versions < V6.1.4.9)
CVE-2025-40946 Auth Bypass blueplanet gridsafe 110 TL3-S (All versions < V3.91)
CVE-2025-40946 Auth Bypass Weak credential generation using CRC16-based algorithm from device serial number

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 13:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45218: WP Travel Blind SQL Injection Puts User Data at Risk

CVE-2026-45218 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /7.7 /⚑ 4 IOCs /⚙ 6 Sigma

CVE-2026-45215 — Saad Iqbal WP EasyPay Wp-Easy-Pay Vulnerability

CVE-2026-45215 — Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay:...

vulnerabilityCVEmedium-severitycwe-201
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

Xpro Elementor Addons SQL Injection (CVE-2026-45214) Poses High Risk

CVE-2026-45214 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 4 IOCs /⚙ 3 Sigma