CVE-2025-52586

Summary

The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings.

Affected Software

VendorProductVersion RangeStatus
EG4 ElectronicsEG4 12kPVall versionsaffected
EG4 ElectronicsEG4 18kPVall versionsaffected
EG4 ElectronicsEG4 Flex 21all versionsaffected
EG4 ElectronicsEG4 Flex 18all versionsaffected
EG4 ElectronicsEG4 6000XPall versionsaffected
EG4 ElectronicsEG4 12000XPall versionsaffected
EG4 ElectronicsEG4 GridBossall versionsaffected

Weaknesses

  • CWE-319: CWE-319

Workarounds

EG4 has acknowledged the vulnerabilities and is actively working on a fix, including new hardware expected to release by October 15, 2025. Until then, EG4 will actively monitor all installed systems and work with affected users on a case-by-case basis if anomalies are observed.

For more information, contact EG4. https://eg4electronics.com/contact/

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References