Siemens KACO Blueplanet Inverters

HIGH

CVSS 8.3

Date 2026-06-09T06:00:00+00:00

Source cisa-csaf

Published by CISA

// Description

KACO blueplanet Inverters contain multiple vulnerabilities that could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access. KACO new energy GmbH has released new versions for several affected products and recommends to update to the latest versions. KACO new energy GmbH is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

// Vulnerabilities (2)

CVE ID	CVSS Score	Severity	Description
CVE-2026-41125	6.0	medium	CVE-2026-41125. Improper neutralization of special elements used in an sql command ('sql injection') in KACO Meteor server allows an authorized attacker to elevate privileges over a local network.
CVE-2025-40946	8.3	high	CVE-2025-40946. A CRC16-based algorithm for generating Technical Service credentials could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access.

// Remediations (4)

Patch: Update to V6.1.4.9 or later version

Update to V6.1.4.9 or later version

Patch: Update to V3.91 or later version

Update to V3.91 or later version