The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory about a critical vulnerability in SunPower’s PVS6 solar inverters that could allow attackers to gain complete control of the devices. The flaw, tracked as CVE-2025-9696, carries a CVSS v3.1 score of 9.6 and a CVSS v4 score of 9.4.

CISA explained that “successful exploitation of this vulnerability could allow attackers to gain full access to the device, enabling them to replace firmware, modify settings, disable the device, create SSH tunnels, and manipulate attached devices.” The weakness lies in the Bluetooth Low Energy servicing interface, which uses hardcoded encryption parameters and publicly accessible protocol details. Attackers within Bluetooth range could leverage these static credentials to establish administrative access.

The issue affects PVS6 firmware version 2025.06 build 61839 and earlier. CISA confirmed that “no known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.” However, experts warn that attackers could potentially automate exploitation by scanning for exposed devices in densely deployed environments.

Security researcher Dagan Henderson reported the flaw to CISA, noting that “CISA assigned CVE-2025-9696 to the vulnerability and requested that I delay publishing my research until 12:00 p.m. Eastern on Sept. [2, 2025].” SunPower has not responded to CISA’s coordination attempts, leaving asset owners without official vendor guidance.

CISA recommends isolating affected devices’ networks, using VPNs for remote access, and monitoring for signs of unauthorized connections. Organizations are advised to disable Bluetooth functionality where feasible until patches are available.

The advisory was part of a broader set of industrial control system alerts also covering Delta Electronics, Fuji Electric, and Hitachi Energy products. While no active exploitation has been observed, CISA urged operators to apply updates where available and adopt layered defense strategies to mitigate risks across critical infrastructure.