Blueplanet 92 0 Tl3 Gen2
Monthly
SQL injection in KACO Meteor server affecting all versions of blueplanet inverter product line allows authorized attackers on the local network to elevate privileges and modify system data. The vulnerability requires high-privilege credentials and abnormal configuration access (AC:H), limiting exploitation to insider threats or attackers who have already compromised administrative access. CVSS 6.0 with integrity and availability impact reflects significant risk within trusted network environments.
Predictable Technical Service credentials derived from CRC16-based algorithm and device serial number enable authentication bypass in Siemens blueplanet solar inverters and hybrid systems. Remote adjacent network attackers without authentication can calculate valid service credentials from publicly-observable serial numbers, gaining unauthorized administrative access to compromise device integrity and availability. Affects 23 blueplanet product families including TL3, NX3, NH3, and gridsafe variants across industrial solar installations. Patches released for GEN2 models (V6.1.4.9) and gridsafe variants (V3.91), but legacy TL3/NX3/NH3 first-generation models remain unpatched with no vendor-provided fix versions.
SQL injection in KACO Meteor server affecting all versions of blueplanet inverter product line allows authorized attackers on the local network to elevate privileges and modify system data. The vulnerability requires high-privilege credentials and abnormal configuration access (AC:H), limiting exploitation to insider threats or attackers who have already compromised administrative access. CVSS 6.0 with integrity and availability impact reflects significant risk within trusted network environments.
Predictable Technical Service credentials derived from CRC16-based algorithm and device serial number enable authentication bypass in Siemens blueplanet solar inverters and hybrid systems. Remote adjacent network attackers without authentication can calculate valid service credentials from publicly-observable serial numbers, gaining unauthorized administrative access to compromise device integrity and availability. Affects 23 blueplanet product families including TL3, NX3, NH3, and gridsafe variants across industrial solar installations. Patches released for GEN2 models (V6.1.4.9) and gridsafe variants (V3.91), but legacy TL3/NX3/NH3 first-generation models remain unpatched with no vendor-provided fix versions.