Which versions of Siemens blueplanet are affected by EUVD-2025-209779?

CVE-2025-40946 affects Siemens blueplanet solar inverters across 23 product families, allowing unauthenticated remote attackers on adjacent networks to derive administrative credentials from publicly…

How to fix or mitigate EUVD-2025-209779?

Within 24 hours: Inventory all Siemens blueplanet inverters by model family and firmware version; identify which devices are legacy TL3/NX3/NH3 (unpatched) versus GEN2/gridsafe (patchable). Within 7 days: For GEN2 models, upgrade to firmware V6.1.4.9 or later; for gridsafe variants, upgrade to V3.91 or later; for legacy TL3/NX3/NH3 models, isolate from untrusted networks pending mitigation strategy. Within 30 days: Complete patching of all upgradeable models; for unpatched legacy units, implement network segmentation with layer-2 access controls restricting administrative access to authorized engineering networks only.

Siemens blueplanet EUVD-2025-209779

Q: What is the CVSS score of EUVD-2025-209779?

EUVD-2025-209779 has a CVSS 4.0 base score of 7.2 (High). CVSS vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2025-40946 HIGH

Use of Hard-coded Cryptographic Key (CWE-321)

2026-05-12 siemens

GHSA-5pqm-29j4-2vjr

Authentication Bypass

7.2

CVSS 4.0

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 12, 2026 - 10:39 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 12, 2026 - 10:22 vuln.today

cvss_changed

CVSS changed

May 12, 2026 - 10:22 NVD

8.3 (HIGH) 7.2 (HIGH)

Analysis Generated

May 12, 2026 - 10:01 vuln.today

CVE Published

May 12, 2026 - 08:20 nvd

HIGH 8.3

DescriptionNVD

A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 110 TL3 (All versions), blueplanet 125 NX3 M11 (All versions), blueplanet 125 TL3 (All versions), blueplanet 125 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 137 TL3 (All versions), blueplanet 150 TL3 (All versions), blueplanet 150 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 155 TL3 (All versions), blueplanet 155 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 165 TL3 (All versions), blueplanet 165 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 25.0 NX3-33.0 NX3 (All versions), blueplanet 3.0 NX3-20.0 NX3 (All versions), blueplanet 3.0 TL3-60.0 TL3 (All versions), blueplanet 3.0-5.0 NX1 (All versions), blueplanet 360 NX3 M6 (All versions), blueplanet 50.0 NX3-60.0 NX3 (All versions), blueplanet 87.0 TL3 (All versions), blueplanet 87.0 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 92.0 TL3 (All versions), blueplanet 92.0 TL3 GEN2 (All versions < V6.1.4.9), blueplanet gridsafe 110 TL3-S (All versions < V3.91), blueplanet gridsafe 137 TL3-S (All versions < V3.91), blueplanet gridsafe 92.0 TL3-S (All versions < V3.91), blueplanet hybrid 10.0 TL3 (All versions), blueplanet hybrid 6.0 NH3-12.0 NH3 (All versions). A CRC16-based algorithm for generating Technical Service credentials could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access.

AnalysisAI

Predictable Technical Service credentials derived from CRC16-based algorithm and device serial number enable authentication bypass in Siemens blueplanet solar inverters and hybrid systems. Remote adjacent network attackers without authentication can calculate valid service credentials from publicly-observable serial numbers, gaining unauthorized administrative access to compromise device integrity and availability. Affects 23 blueplanet product families including TL3, NX3, NH3, and gridsafe variants across industrial solar installations. Patches released for GEN2 models (V6.1.4.9) and gridsafe variants (V3.91), but legacy TL3/NX3/NH3 first-generation models remain unpatched with no vendor-provided fix versions.

Technical ContextAI

The vulnerability stems from weak credential generation in Siemens blueplanet solar inverter firmware. The affected devices use a CRC16 checksum algorithm (16-bit cyclic redundancy check) to derive Technical Service account credentials from device serial numbers. CRC16 is a data integrity check designed to detect accidental transmission errors, not a cryptographic function suitable for credential generation. The algorithm's deterministic nature and limited 16-bit output space (65,536 possibilities) make credentials computationally trivial to derive given the serial number input. CWE-321 (Use of Hard-coded Cryptographic Key) applies because the credential generation method acts as a predictable, device-identifier-based key derivation that lacks cryptographic strength. Serial numbers are often visible on device labels, web interfaces, network discovery protocols (Modbus, SNMP), or installation documentation, providing attackers the necessary input. The affected CPE entries span industrial solar inverter product lines including blueplanet TL3 (three-phase grid-tied), NX3 (next-generation three-phase), NH3 (hybrid storage), and gridsafe (grid support) models ranging from 3kW to 360kW capacity, deployed in commercial and utility-scale photovoltaic systems.

RemediationAI

For blueplanet GEN2 models (100/105/125/150/155/165/87.0/92.0 TL3 GEN2), immediately upgrade firmware to V6.1.4.9 or later per Siemens advisory SSA-545643. For blueplanet gridsafe 92.0/110/137 TL3-S models, upgrade to firmware V3.91 or later. Download patches from Siemens Product Support or authorized distribution channels. For legacy first-generation models without available firmware updates (all TL3, NX3, NH3, NX1 non-GEN2 variants), Siemens advisory SSA-545643 should specify compensating controls but does not provide explicit guidance at publication time - contact Siemens support for device-specific remediation including potential manual credential rotation procedures or hardware lifecycle guidance. Immediate compensating controls for all affected models: isolate blueplanet inverters on dedicated VLANs with strict access control lists permitting only authorized management stations (eliminates adjacent network access per AV:A requirement); disable Technical Service account access via web interface if operationally feasible; implement network monitoring to detect unauthorized login attempts to inverter management interfaces; conduct physical security assessments to prevent serial number observation from device labels; review firewall rules to block Modbus TCP (port 502), HTTP/HTTPS (ports 80/443), and proprietary Siemens protocols from untrusted network segments. Note that network segmentation significantly reduces exploitability but does not eliminate risk from insider threats or compromised management workstations already on the isolated VLAN. Advisory URL: https://cert-portal.siemens.com/productcert/html/ssa-545643.html.

EUVD-2025-209779 vulnerability details – vuln.today

Back

Siemens blueplanet EUVD-2025-209779

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

Siemens blueplanet EUVD-2025-209779

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code