Siemens KACO Blueplanet Inverter Vulnerabilities: CVE-2025-40946 & CVE-2026-41125

Overview of Siemens KACO Blueplanet Inverter Vulnerabilities

Siemens KACO Blueplanet Inverters, widely deployed in critical energy infrastructure worldwide, are affected by multiple significant vulnerabilities. These weaknesses could allow attackers to gain unauthorized access and elevate privileges, posing a substantial risk to grid reliability and operational integrity. The most severe of these, CVE-2025-40946, carries a CVSS v3.1 score of 8.3 (High) and stems from the use of a hard-coded cryptographic key. Another vulnerability, CVE-2026-41125, rated 6.0 (Medium), involves an SQL Injection flaw in the KACO Meteor server component.

According to a CISA advisory ICSA-26-160-02, KACO new energy GmbH has released updates for some affected products and recommends specific countermeasures where fixes are not yet available. This advisory underscores the need for immediate attention from operators of these critical power systems to mitigate potential exploitation.

Technical Analysis of Detected Vulnerabilities

These vulnerabilities collectively present a concerning attack surface for critical infrastructure operators. Understanding the technical specifics is crucial for effective defense.

CVE-2025-40946: Hard-coded Cryptographic Key

This vulnerability, classified under CWE-321 Use of Hard-coded Cryptographic Key, impacts numerous blueplanet inverter models. It arises from a CRC16-based algorithm used to generate Technical Service credentials. An attacker can leverage this predictable algorithm to derive valid credentials simply from the device’s serial number. This allows for unauthorized access to the inverter, potentially enabling malicious control, data manipulation, or disruption of energy generation processes. The high CVSS score reflects the ease of exploitation (Adjacent Network, Low Attack Complexity, No Privileges Required, No User Interaction) and the significant impact on integrity and availability (High).

CVE-2026-41125: SQL Injection in KACO Meteor Server

The second identified flaw, CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), affects the KACO Meteor server component. This SQL Injection vulnerability allows an authorized attacker to elevate privileges over a local network. While requiring prior authorization, the ability to escalate privileges means an attacker who has gained initial access (e.g., through the hard-coded key flaw or other means) can achieve deeper control within the system. For many affected models, no fix is currently available for this specific issue, necessitating reliance on broader defensive measures.

Affected Products and Critical Infrastructure Impact

The vulnerabilities affect a wide array of Siemens KACO Blueplanet Inverter models and versions. These include, but are not limited to:

• blueplanet 100 NX3 M8
• blueplanet 100 TL3 GEN2 (versions prior to 6.1.4.9)
• blueplanet 105 TL3 and GEN2 series
• blueplanet 110 TL3
• blueplanet 125 NX3 M11 and TL3 series (including GEN2 versions prior to 6.1.4.9)
• blueplanet 137 TL3
• blueplanet 150 TL3 and GEN2 series (including versions prior to 6.1.4.9)
• blueplanet 155 TL3 and GEN2 series (including versions prior to 6.1.4.9)
• blueplanet 165 TL3 and GEN2 series (including versions prior to 6.1.4.9)
• blueplanet gridsafe 110 TL3-S, 137 TL3-S, and 92.0 TL3-S (versions prior to 3.91)

Given their deployment in the energy sector, these inverters are vital components of global critical infrastructure. Compromise of these devices could lead to operational disruption, potential grid instability, and significant economic impact. The exposure to unauthorized access for a critical device presents a severe challenge for maintaining energy grid resilience.

Actionable Recommendations: Protecting Siemens KACO Blueplanet Inverters

Operators of Siemens KACO Blueplanet Inverters should prioritize a multi-layered defense strategy to mitigate these vulnerabilities. The primary goal is to limit exposure and contain potential threats, ensuring the reliability of energy systems. Defenders should evaluate how to protect Siemens KACO blueplanet inverters from both external and internal threats.

Prioritizing Patching for KACO Blueplanet Inverter Security Update V6.1.4.9

For models where fixes are available, immediately apply the recommended security updates. Specifically, for models like blueplanet 100 TL3 GEN2, 105 TL3 GEN2, 125 TL3 GEN2, 150 TL3 GEN2, 155 TL3 GEN2, 165 TL3 GEN2, 87.0 TL3 GEN2, and 92.0 TL3 GEN2, update to V6.1.4.9 or later. For blueplanet gridsafe 110 TL3-S, 137 TL3-S, and 92.0 TL3-S, update to V3.91 or later. Siemens advises validating any security update prior to deployment and supervising the update process with trained staff. While these updates address some issues, for other affected models, fixes are not yet planned or available, which means additional compensatory controls are necessary. This is especially relevant for mitigating CVE-2025-40946 in energy systems where direct patching is not possible.

Network Segmentation and Access Control

• Minimize Network Exposure: Ensure control system devices are not directly accessible from the internet. All internet-facing components should be minimized and hardened.
• Isolate Control System Networks: Implement robust network segmentation, separating ICS/OT networks from enterprise IT networks using firewalls and other security mechanisms. This is critical for preventing lateral movement should a compromise occur.
• Secure Remote Access: When remote access is indispensable, utilize secure methods such as Virtual Private Networks (VPNs). Ensure VPNs are updated to the latest versions and are configured with strong authentication and access controls. Recognize that a VPN’s security is contingent on the security of connected devices and endpoint posture.

Continuous Monitoring and Incident Response

• Implement Monitoring: Deploy robust monitoring solutions (e.g., SIEM, EDR) to detect anomalous activity on ICS networks. Given the potential for unauthorized access, any unusual login attempts, configuration changes, or communication patterns related to the inverters should trigger immediate alerts.
• Risk Assessment: Conduct a thorough impact analysis and risk assessment to understand the specific implications of these vulnerabilities within your operational environment. This informs the prioritization of mitigation efforts.
• Report Suspected Activity: Organizations observing suspected malicious activity should follow established internal incident response procedures and report findings to relevant authorities like CISA for tracking and correlation.