Here are some excerpts from the recent CISA Advisory for EG4 Inverters
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07
EXECUTIVE SUMMARY
- CVSS v4 9.2
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: EG4 Electronics
- Equipment: EG4 Inverters
- Vulnerabilities: Cleartext Transmission of Sensitive Information, Download of Code Without Integrity Check, Observable Discrepancy, Improper Restriction of Excessive Authentication Attempts
3.1 AFFECTED PRODUCTS
The following EG4 Electronics inverters are affected:
- EG4 12kPV: All versions
- EG4 18kPV: All versions
- EG4 Flex 21: All versions
- EG4 Flex 18: All versions
- EG4 6000XP: All versions
- EG4 12000XP: All versions
- EG4 GridBoss: All versions
....
4. MITIGATIONS
EG4 has acknowledged the vulnerabilities and is actively working on a fix, including new hardware expected to release by October 15, 2025. Until then, EG4 will actively monitor all installed systems and work with affected users on a case-by-case basis if anomalies are observed.
Note that CVE-2025-46414 was fixed on April 6, 2025. No user action was or is necessary.
For more information, contact EG4.
cc: @eric
