Diagram showing SunPower PVS6 solar inverter affected by critical Bluetooth vulnerability allowing device takeover

CISA has issued a high-severity alert about a critical vulnerability (CVE-2025-9696) in SunPower’s PVS6 solar inverters that allows attackers within Bluetooth range to take full control of the devices. The flaw, caused by hard-coded credentials in the Bluetooth Low Energy servicing interface, enables unauthorized firmware changes, grid manipulation, and network access. Rated 9.4/10 on the CVSS scale, this vulnerability poses a serious risk to energy infrastructure worldwide.

Diagram showing SunPower PVS6 solar inverter affected by critical Bluetooth vulnerability allowing device takeoverDiagram showing SunPower PVS6 solar inverter affected by critical Bluetooth vulnerability allowing device takeover

Affected PVS6 units running firmware version 2025.06 build 61839 or earlier are vulnerable. Although exploitation requires physical proximity, many installations lack proper network segmentation, increasing exposure. CISA recommends isolating devices behind firewalls, disabling or securing Bluetooth interfaces, enforcing strict access controls, and using VPNs for remote servicing.

Diagram showing SunPower PVS6 solar inverter affected by critical Bluetooth vulnerability allowing device takeoverDiagram showing SunPower PVS6 solar inverter affected by critical Bluetooth vulnerability allowing device takeover

SunPower has yet to respond publicly, and no active exploits have been reported. Organizations should prioritize patching and follow CISA’s guidance to protect critical solar infrastructure from potential attacks.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security