CVE-2025-9696 is a critical vulnerability affecting the SunPower PVS6 solar inverter system, specifically its Bluetooth Low Energy (BluetoothLE) interface. The root cause is the use of hardcoded encryption parameters combined with publicly accessible protocol details, which significantly weakens the security of the device's servicing interface. An attacker within Bluetooth range can exploit this flaw without requiring any authentication or user interaction, gaining full control over the device. This includes the ability to replace firmware, disable power production, modify grid settings, create SSH tunnels, alter firewall configurations, and manipulate connected devices. The vulnerability is classified under CWE-798, indicating the use of hardcoded credentials or encryption keys, which is a well-known security anti-pattern that leads to easy compromise once discovered. The CVSS 4.0 score of 9.4 (critical) reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges or user interaction required. The vulnerability affects version 0 of the PVS6 product and was published on September 2, 2025. Although no known exploits are currently reported in the wild, the nature of the vulnerability and the criticality of the affected systems make it a significant threat, especially in industrial control and energy sectors relying on these inverters for power generation and grid management.

For European organizations, this vulnerability poses a severe risk to the operational continuity and security of solar power infrastructure. Exploitation could lead to unauthorized shutdowns of solar power production, causing energy supply disruptions and financial losses. The ability to alter grid settings and firewall rules could facilitate further lateral movement or persistent access within critical infrastructure networks. Additionally, firmware replacement and SSH tunnel creation could enable attackers to implant persistent backdoors or disrupt device functionality, undermining trust in renewable energy assets. Given Europe's strong emphasis on renewable energy and grid stability, such an attack could have cascading effects on energy markets, regulatory compliance, and national energy security. Organizations managing solar farms, energy utilities, and critical infrastructure operators are particularly at risk, as compromised devices could be leveraged for sabotage or espionage. The Bluetooth range limitation means attackers need physical proximity, but this is feasible in many operational environments where devices are accessible or in public/industrial settings.

Immediate mitigation should focus on isolating the BluetoothLE interface from untrusted environments. Organizations should restrict physical access to the devices and monitor for unauthorized Bluetooth activity. Network segmentation should be enforced to limit the impact of any compromise. Since no patches are currently available, deploying compensating controls such as disabling Bluetooth interfaces where possible or using external Bluetooth jamming devices in sensitive areas may reduce risk. Additionally, organizations should implement strict monitoring and alerting for unusual device behavior, including unexpected firmware changes or configuration modifications. For future deployments, insist on vendor updates that eliminate hardcoded credentials and implement strong, dynamic authentication and encryption mechanisms. Conduct thorough security assessments of all IoT and industrial devices before integration into critical infrastructure. Finally, establish incident response plans specifically addressing potential attacks on energy infrastructure devices.