---
title: "Critical Flaws in Siemens KACO Inverters Expose Energy Systems to Attacks"
short_title: "Siemens KACO inverters critical vulnerabilities"
description: "Siemens KACO Blueplanet inverters hit by critical vulnerabilities (CVE-2025-40946, CVE-2026-41125). Learn how attackers could exploit them and steps to mitigate risks now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [siemens, kaco, cve-2025-40946, cve-2026-41125, energy-sector]
score: 0.85
cve_ids: [CVE-2025-40946, CVE-2026-41125]
---
## TL;DR
Siemens KACO Blueplanet inverters are affected by two critical vulnerabilities—CVE-2025-40946 and CVE-2026-41125—that could allow attackers to derive credentials from device serial numbers or exploit SQL injection to gain unauthorized access. Siemens has released patches for some models and recommends immediate updates or countermeasures to mitigate risks in energy systems worldwide.
Main Content
### Introduction
The energy sector faces a growing threat from cyber vulnerabilities in critical infrastructure. Siemens KACO Blueplanet inverters, widely deployed in solar power systems globally, have been found to contain two severe vulnerabilities that could compromise entire energy grids. These flaws enable attackers to derive hard-coded credentials or exploit SQL injection to gain unauthorized access. Siemens has issued patches for some affected models, but many remain at risk, underscoring the urgency for operators to act.
### Key Points
- Two critical vulnerabilities (CVE-2025-40946, CVE-2026-41125) affect Siemens KACO Blueplanet inverters, enabling unauthorized access and privilege escalation.
- Affected models include over 20 variants of Blueplanet inverters, with some still lacking fixes.
- Attackers can exploit hard-coded cryptographic keys or SQL injection to compromise devices over local networks.
- Siemens has released patches for specific models and recommends countermeasures for unpatched devices.
- Energy sector operators must prioritize updates and implement resilient protection measures to minimize risks.
Technical Details
#### Vulnerability Breakdown
1. CVE-2025-40946 (CVSS 8.3 - High)
- Type: Use of Hard-coded Cryptographic Key
- Impact: Attackers can derive Technical Service credentials from the device's serial number using a CRC16-based algorithm. This allows unauthorized access to inverter systems.
- Affected Models: Nearly all Blueplanet inverter models, including gridsafe and hybrid variants.
- Mitigation: Siemens recommends updating to V6.1.4.9 or later for most models. Some devices, however, have no fix planned or lack available patches.
2. CVE-2026-41125 (CVSS 6.0 - Medium)
- Type: SQL Injection
- Impact: An authorized attacker on the local network can exploit improperly neutralized SQL commands in the KACO Meteor server to elevate privileges.
- Affected Models: Similar to CVE-2025-40946, this flaw impacts a broad range of Blueplanet inverters.
- Mitigation: No patches are currently available for this vulnerability, but Siemens is working on fixes.
### Impact Assessment
The vulnerabilities pose a significant risk to energy infrastructure, particularly in regions heavily reliant on solar power. Successful exploitation could lead to:
- Unauthorized access to inverter systems, enabling attackers to disrupt power generation or steal sensitive data.
- Privilege escalation, allowing attackers to manipulate device settings or disable safety mechanisms.
- Wider network compromise, as inverters often connect to broader energy management systems.
Given the global deployment of Siemens KACO inverters, the potential for large-scale disruption is high. Operators of critical power systems must act swiftly to apply patches, segment networks, and implement resilient protection measures.
### Affected Systems
The following Siemens KACO Blueplanet inverter models are affected by one or both vulnerabilities:
| Model | Vulnerabilities | Fix Status |
|------------------------------------|---------------------------------------------|------------------------------------|
| blueplanet 100 NX3 M8 | CVE-2025-40946, CVE-2026-41125 | No fix planned |
| blueplanet 100 TL3 GEN2 | CVE-2025-40946, CVE-2026-41125 | Update to V6.1.4.9 or later |
| blueplanet 105 TL3 | CVE-2025-40946, CVE-2026-41125 | No fix available |
| blueplanet 105 TL3 GEN2 | CVE-2025-40946, CVE-2026-41125 | Update to V6.1.4.9 or later |
| blueplanet gridsafe 110 TL3-S | CVE-2025-40946, CVE-2026-41125 | Update to V3.91 or later |
| blueplanet hybrid 10.0 TL3 | CVE-2025-40946 | No fix available |
| All other listed models | CVE-2025-40946, CVE-2026-41125 | Varies (see Siemens advisory) |
### Mitigation Steps
Siemens and cybersecurity experts recommend the following actions to mitigate risks:
1. Apply Patches Immediately
- Update affected inverters to the latest firmware versions (V6.1.4.9 or V3.91) where available.
- Download patches from the KACO Customer Portal.
2. Implement Network Segmentation
- Isolate inverter systems from business networks using firewalls and VLANs.
- Restrict access to local networks where inverters are deployed.
3. Monitor for Suspicious Activity
- Deploy intrusion detection systems (IDS) to monitor for unauthorized access attempts.
- Regularly audit logs for signs of exploitation.
4. Follow Siemens Security Guidelines
- Adhere to Siemens' operational security guidelines for protecting critical infrastructure.
5. Contact Siemens ProductCERT
- For further assistance, reach out to Siemens ProductCERT via their advisories page.
## Conclusion
The discovery of CVE-2025-40946 and CVE-2026-41125 in Siemens KACO Blueplanet inverters highlights the growing cyber threats to energy infrastructure. While Siemens has released patches for some models, many devices remain vulnerable, emphasizing the need for proactive security measures. Energy sector operators must prioritize updates, network segmentation, and monitoring to safeguard against potential attacks. Failure to act could result in disruptions to power generation, data breaches, or even broader grid compromise.
## References
[^1]: Siemens ProductCERT. "SSA-545643: Vulnerabilities in KACO Blueplanet Inverters". Retrieved 2025-01-24.
[^2]: CISA. "ICSA-26-160-02: Siemens KACO Blueplanet Inverters". Retrieved 2025-01-24.
[^3]: MITRE. "CWE-321: Use of Hard-coded Cryptographic Key". Retrieved 2025-01-24.
[^4]: MITRE. "CWE-89: Improper Neutralization of Special Elements in SQL Command". Retrieved 2025-01-24.