2026-06-094 minhigh

Siemens KACO Blueplanet Inverters (CVE-2025-40946, CVE-2026-41125)

Siemens KACO Blueplanet Inverters contain two vulnerabilities, including a hard-coded cryptographic key issue (CVE-2025-40946) that allows attackers to derive device credentials from serial numbers, and an SQL injection (CVE-2026-41125) in the KACO Meteor server enabling privilege escalation. Siemens has released firmware updates for select models and recommends network isolation for affected devices.

Conf:highAnalyzed:2026-06-09Google

Authors:

IOCs · 2

.txt .json

cve
CVE-2025-40946
cve
CVE-2026-41125

Detection / HunterGoogle

What Happened

Siemens KACO Blueplanet Inverters, which are used in energy and power grid systems, have two security flaws. The first flaw allows an attacker to guess the device's service password just by knowing its serial number. The second flaw allows an attacker who is already on the local network to gain higher access levels. These vulnerabilities could allow unauthorized access to critical power equipment. Organizations using these inverters should apply the latest firmware updates from Siemens and ensure the devices are isolated from the public internet.

Key Takeaways

Siemens KACO Blueplanet Inverters are affected by two vulnerabilities: CVE-2025-40946 and CVE-2026-41125.
CVE-2025-40946 (CVSS 8.3) allows attackers to derive Technical Service credentials from the device's serial number using a CRC16-based algorithm.
CVE-2026-41125 (CVSS 6.0) is an SQL injection vulnerability in the KACO Meteor server that allows an authorized attacker to elevate privileges over a local network.
Firmware updates (V3.91 and V6.1.4.9) are available for select models, while others currently have no fix planned or available.
CISA and Siemens strongly recommend minimizing network exposure and isolating control system networks behind firewalls.

Affected Systems

Siemens KACO Blueplanet Inverters (multiple models including 100 NX3, 100 TL3 GEN2, 105 TL3, 125 TL3, 150 TL3, 165 TL3, 3.0 TL3-60.0 TL3, 87.0 TL3, 92.0 TL3, gridsafe series, and hybrid series)
KACO Meteor server

Vulnerabilities (CVEs)

CVE-2025-40946
CVE-2026-41125

Attack Chain

An attacker on the adjacent network identifies a vulnerable Siemens KACO Blueplanet Inverter. By obtaining the device's serial number, the attacker utilizes a CRC16-based algorithm to derive the Technical Service credentials (CVE-2025-40946), granting unauthorized access to the device. Alternatively or additionally, an authorized attacker on the local network exploits an SQL injection vulnerability (CVE-2026-41125) in the KACO Meteor server to elevate privileges and gain further control over the system.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The advisory does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot be installed on proprietary ICS/SCADA inverter firmware. Network Visibility: Medium — Network monitoring can detect anomalous access to the inverter's management interfaces or SQL injection payloads directed at the KACO Meteor server. Detection Difficulty: Hard — Detecting credential derivation is impossible over the network; defenders can only detect the subsequent unauthorized login, which appears as legitimate Technical Service access.

Required Log Sources

Network IDS/IPS
Application Logs (KACO Meteor Server)

Hunting Hypotheses

copy:

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unusual or unexpected logins to the Technical Service accounts on KACO Blueplanet Inverters from unauthorized or unexpected IP addresses.	Application Logs (KACO Meteor Server), Network Flow Logs	Credential Access	Medium
If you have visibility into KACO Meteor server traffic, consider hunting for SQL injection patterns (e.g., unexpected SQL syntax or error messages) in management traffic.	Network IDS/IPS, Web Application Firewall (WAF)	Privilege Escalation	Low

Control Gaps

Lack of EDR on embedded ICS devices
Inability to rotate hardcoded derivation algorithms

Key Behavioral Indicators

Anomalous logins to Technical Service accounts
SQL injection payloads targeting Meteor server

False Positive Assessment

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
Apply firmware updates (V3.91 or V6.1.4.9) to affected KACO Blueplanet Inverters where available.
Isolate affected inverters from business networks and the public internet.

Infrastructure Hardening

Implement multi-level redundant secondary protection schemes for power grids to minimize the impact of cyber incidents.
Restrict remote access to ICS networks using secure VPNs and strict firewall rules.

User Protection

N/A

Security Awareness

Ensure ICS operators are aware of the risks associated with hardcoded credentials and the importance of network segmentation.

MITRE ATT&CK Mapping

T1078 - Valid Accounts
T1068 - Exploitation for Privilege Escalation
T1552 - Unsecured Credentials