Vulnerabilities > CVE-2020-25753 - Unspecified vulnerability in Enphase Envoy Firmware D4.0/R3.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. The serial number can be retrieved by an unauthenticated user at /info.xml.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 2 | |
Hardware | 1 |
References
- https://enphase.com/en-us/products-and-services/envoy-and-combiner
- https://enphase.com/en-us/products-and-services/envoy-and-combiner
- https://medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661a
- https://medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661a
- https://stage2sec.com
- https://stage2sec.com