Siemens KACO Blueplanet Inverters contain two vulnerabilities, including a hard-coded cryptographic key issue (CVE-2025-40946) that allows attackers to derive device credentials from serial numbers, and an SQL injection (CVE-2026-41125) in the KACO Meteor server enabling privilege escalation. Siemens has released firmware updates for select models and recommends network isolation for affected devices.