Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN577
_____________________________________________________________________

DATE                : 04/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): SunPower PVS6's BluetoothLE software.

=====================================================================
https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-03
_____________________________________________________________________

 SunPower PVS6

Release Date
September 02, 2025

Alert Code
ICSA-25-245-03

Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems

View CSAF
1. EXECUTIVE SUMMARY

    CVSS v4 9.4
    ATTENTION: Exploitable from an adjacent network/low attack
complexity
    Vendor: SunPower
    Equipment: PVS6
    Vulnerability: Use of Hard-Coded Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attackers
to gain full access to the device, enabling them to replace firmware,
modify settings, disable the device, create SSH tunnels, and
manipulate attached devices.


3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SunPower PVS6 are affected:

    PVS6: Versions 2025.06 build 61839 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798

The SunPower PVS6's BluetoothLE interface is vulnerable due to its use
of hardcoded encryption parameters and publicly accessible protocol
details. An attacker within Bluetooth range could exploit this
vulnerability to gain full access to the device's servicing interface.
This access allows the attacker to perform actions such as firmware
replacement, disabling power production, modifying grid settings,
creating SSH tunnels, altering firewall settings, and manipulating
connected devices.

CVE-2025-9696 has been assigned to this vulnerability. A CVSS v3.1
base score of 9.6 has been calculated; the CVSS vector string is
(AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-9696. A base
score of 9.4 has been calculated; the CVSS vector string is
(AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).


3.3 BACKGROUND

    CRITICAL INFRASTRUCTURE SECTORS: Energy
    COUNTRIES/AREAS DEPLOYED: Worldwide
    COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Dagan Henderson reported this vulnerability to CISA.
4. MITIGATIONS

SunPower did not respond to CISA's attempt to coordinate these
vulnerabilities. Users should contact SunPower for more
information.

CISA recommends users take defensive measures to minimize the
risk of exploitation of this vulnerability, such as:

    Minimize network exposure for all control system devices
and/or systems, ensuring they are not accessible from the
internet.

    Locate control system networks and remote devices behind
firewalls and isolating them from business networks.
    When remote access is required, use more secure methods,
such as Virtual Private Networks (VPNs), recognizing VPNs may
have vulnerabilities and should be updated to the most current
version available. Also recognize VPN is only as secure as
the connected devices.

CISA reminds organizations to perform proper impact analysis
and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security
recommended practices on the ICS webpage on cisa.gov/ics.
Several CISA products detailing cyber defense best practices
are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with
Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended
cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are
publicly available on the ICS webpage at cisa.gov/ics in the
technical information paper, ICS-TIP-12-146-01B--Targeted
Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should
follow established internal procedures and report findings
to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to
protect themselves from social engineering attacks:

    Do not click web links or open attachments in unsolicited
email messages.
    Refer to Recognizing and Avoiding Email Scams for more
information on avoiding email scams.

    Refer to Avoiding Social Engineering and Phishing Attacks
for more information on social engineering attacks.

No known public exploitation specifically targeting this
vulnerability has been reported to CISA at this time. This
vulnerability is not exploitable remotely.


5. UPDATE HISTORY

    September 2, 2025: Initial Publication

This product is provided subject to this Notification and
this Privacy & Use policy.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================