All CISA Advisories, EN

Siemens KACO Blueplanet Inverters

View CSAF

Summary

KACO blueplanet Inverters contain multiple vulnerabilities that could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access. KACO new energy GmbH has released new versions for several affected products and recommends to update to the latest versions. KACO new energy GmbH is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

The following versions of Siemens KACO Blueplanet Inverters are affected:

  • blueplanet 100 NX3 M8 vers:all/*
  • blueplanet 100 TL3 GEN2 vers:all/*, vers:intdot/<6.1.4.9 
  • blueplanet 105 TL3 vers:all/* 
  • blueplanet 105 TL3 GEN2 vers:all/*, vers:intdot/<6.1.4.9 
  • blueplanet 110 TL3 vers:all/* 
  • blueplanet 125 NX3 M11 vers:all/* 
  • blueplanet 125 TL3 vers:all/* 
  • blueplanet 125 TL3 GEN2 vers:all/*, vers:intdot/<6.1.4.9 
  • blueplanet 137 TL3 vers:all/* 
  • blueplanet 150 TL3 vers:all/* 
  • blueplanet 150 TL3 GEN2 vers:all/*, vers:intdot/<6.1.4.9 
  • blueplanet 155 TL3 vers:all/* 
  • blueplanet 155 TL3 GEN2 vers:all/*, vers:intdot/<6.1.4.9 
  • blueplanet 165 TL3 vers:all/* 
  • blueplanet 165 TL3 GEN2 vers:all/*, vers:intdot/<6.1.4.9 
  • blueplanet 25.0 NX3-33.0 NX3 vers:all/* 
  • blueplanet 3.0 NX3-20.0 NX3 vers:all/* 
  • blueplanet 3.0 TL3-60.0 TL3 vers:all/* 
  • blueplanet 3.0-5.0 NX1 vers:all/* 
  • blueplanet 360 NX3 M6 vers:all/* 
  • blueplanet 50.0 NX3-60.0 NX3 vers:all/* 
  • blueplanet 87.0 TL3 vers:all/* 
  • blueplanet 87.0 TL3 GEN2 vers:all/*, vers:intdot/<6.1.4.9 
  • blueplanet 92.0 TL3 vers:all/* 
  • blueplanet 92.0 TL3 GEN2 vers:all/*, vers:intdot/<6.1.4.9 
  • blueplanet gridsafe 110 TL3-S vers:intdot/<3.91, vers:all/* 
  • blueplanet gridsafe 137 TL3-S vers:intdot/<3.91, vers:all/*
  • blueplanet gridsafe 92.0 TL3-S vers:all/*, vers:intdot/<3.91 
  • blueplanet hybrid 10.0 TL3 vers:all/* 
  • blueplanet hybrid 6.0 NH3-12.0 NH3 vers:all/* 
CVSS Vendor Equipment Vulnerabilities
v3 8.3 Siemens Siemens KACO Blueplanet Inverters Use of Hard-coded Cryptographic Key, Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Background

  • Critical Infrastructure Sectors: Energy
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Germany

Vulnerabilities

Expand All +

CVE-2025-40946

A CRC16-based algorithm for generating Technical Service credentials could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access.

View CVE Details

Affected Products

Siemens KACO Blueplanet Inverters
Vendor:
Siemens
Product Version:
blueplanet 100 NX3 M8, blueplanet 100 TL3 GEN2, blueplanet 105 TL3, blueplanet 105 TL3 GEN2, blueplanet 110 TL3, blueplanet 125 NX3 M11, blueplanet 125 TL3, blueplanet 125 TL3 GEN2, blueplanet 137 TL3, blueplanet 150 TL3, blueplanet 150 TL3 GEN2, blueplanet 155 TL3, blueplanet 155 TL3 GEN2, blueplanet 165 TL3, blueplanet 165 TL3 GEN2, blueplanet 3.0 TL3-60.0 TL3, blueplanet 87.0 TL3, blueplanet 87.0 TL3 GEN2, blueplanet 92.0 TL3, blueplanet 92.0 TL3 GEN2, blueplanet gridsafe 110 TL3-S, blueplanet gridsafe 137 TL3-S, blueplanet gridsafe 92.0 TL3-S
Product Status:
known_affected, known_not_affected
Remediations

No fix planned
Currently no fix is planned

None available
Currently no fix is available

Vendor fix
Update to V3.91 or later version
https:

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article: