Skip to main content

Blueplanet 150 Tl3

2 CVEs product

Monthly

CVE-2026-41125 MEDIUM CISA This Month

SQL injection in KACO Meteor server affecting all versions of blueplanet inverter product line allows authorized attackers on the local network to elevate privileges and modify system data. The vulnerability requires high-privilege credentials and abnormal configuration access (AC:H), limiting exploitation to insider threats or attackers who have already compromised administrative access. CVSS 6.0 with integrity and availability impact reflects significant risk within trusted network environments.

SQLi Blueplanet 100 Nx3 M8 Blueplanet 100 Tl3 Gen2 Blueplanet 105 Tl3 Blueplanet 105 Tl3 Gen2 +25
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2025-40946 HIGH CISA This Week

Predictable Technical Service credentials derived from CRC16-based algorithm and device serial number enable authentication bypass in Siemens blueplanet solar inverters and hybrid systems. Remote adjacent network attackers without authentication can calculate valid service credentials from publicly-observable serial numbers, gaining unauthorized administrative access to compromise device integrity and availability. Affects 23 blueplanet product families including TL3, NX3, NH3, and gridsafe variants across industrial solar installations. Patches released for GEN2 models (V6.1.4.9) and gridsafe variants (V3.91), but legacy TL3/NX3/NH3 first-generation models remain unpatched with no vendor-provided fix versions.

Authentication Bypass Blueplanet 100 Nx3 M8 Blueplanet 100 Tl3 Gen2 Blueplanet 105 Tl3 Blueplanet 105 Tl3 Gen2 +26
NVD VulDB
CVSS 4.0
7.2
EPSS
0.0%
EPSS 0% CVSS 5.9
MEDIUM This Month

SQL injection in KACO Meteor server affecting all versions of blueplanet inverter product line allows authorized attackers on the local network to elevate privileges and modify system data. The vulnerability requires high-privilege credentials and abnormal configuration access (AC:H), limiting exploitation to insider threats or attackers who have already compromised administrative access. CVSS 6.0 with integrity and availability impact reflects significant risk within trusted network environments.

SQLi Blueplanet 100 Nx3 M8 Blueplanet 100 Tl3 Gen2 +27
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Predictable Technical Service credentials derived from CRC16-based algorithm and device serial number enable authentication bypass in Siemens blueplanet solar inverters and hybrid systems. Remote adjacent network attackers without authentication can calculate valid service credentials from publicly-observable serial numbers, gaining unauthorized administrative access to compromise device integrity and availability. Affects 23 blueplanet product families including TL3, NX3, NH3, and gridsafe variants across industrial solar installations. Patches released for GEN2 models (V6.1.4.9) and gridsafe variants (V3.91), but legacy TL3/NX3/NH3 first-generation models remain unpatched with no vendor-provided fix versions.

Authentication Bypass Blueplanet 100 Nx3 M8 Blueplanet 100 Tl3 Gen2 +28
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy