Blueplanet Gridsafe 110 TL3-S — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/blueplanet-gridsafe-110-tl3-s/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 10:19:19 +0000KACO blueplanet Devices Vulnerable to Credential Derivation (CVE-2025-40946)https://feed.craftedsignal.io/briefs/2026-05-kaco-credential-disclosure/Tue, 12 May 2026 10:19:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-kaco-credential-disclosure/CVE-2025-40946 describes a vulnerability in KACO new energy blueplanet products where a weak CRC16-based algorithm for generating Technical Service credentials could allow an attacker to derive the credentials from the device's serial number and misuse them to gain unauthorized access.A vulnerability, CVE-2025-40946, exists in KACO new energy’s blueplanet product line. The affected products include a wide range of inverters and energy storage systems, such as blueplanet 100 NX3 M8, blueplanet 100 TL3 GEN2 (All versions < V6.1.4.9), and blueplanet gridsafe models. The vulnerability stems from a weak CRC16-based algorithm used to generate Technical Service credentials. An attacker with knowledge of this algorithm and a device’s serial number could derive valid credentials, leading to unauthorized access and control over the affected device. This is significant as it allows unauthorized modification of system settings, potential disruption of energy production, and possible lateral movement within a network if the device is interconnected with other systems.

Attack Chain

  1. Attacker gains knowledge of the CRC16-based algorithm used to generate Technical Service credentials.
  2. Attacker obtains the serial number of a vulnerable KACO blueplanet device (e.g., through physical access, network scanning, or publicly available information).
  3. Attacker inputs the device serial number into a custom script or tool implementing the known CRC16 algorithm.
  4. The script calculates the Technical Service credentials based on the serial number and the flawed algorithm.
  5. Attacker uses the derived credentials to authenticate to the device’s web interface or API.
  6. Upon successful authentication, the attacker gains unauthorized access to device settings and functionality.
  7. Attacker modifies configuration settings, such as grid parameters, communication protocols, or firmware update settings.
  8. The attacker could disrupt energy production, cause grid instability, or use the compromised device as a foothold for further attacks within the network.

Impact

Successful exploitation of CVE-2025-40946 allows an attacker to gain unauthorized access to KACO blueplanet devices. This can lead to a variety of impacts, including disruption of energy production, manipulation of grid parameters leading to potential grid instability, and the use of compromised devices as entry points for further attacks within a network. The wide range of affected devices increases the potential scope of impact, especially within organizations heavily reliant on KACO’s blueplanet series for energy management.

Recommendation

  • Upgrade blueplanet 100 TL3 GEN2, blueplanet 105 TL3 GEN2, blueplanet 125 TL3 GEN2, blueplanet 150 TL3 GEN2, blueplanet 155 TL3 GEN2, blueplanet 165 TL3 GEN2, blueplanet 87.0 TL3 GEN2, blueplanet 92.0 TL3 GEN2 to version V6.1.4.9 or later to remediate CVE-2025-40946.
  • Upgrade blueplanet gridsafe 110 TL3-S, blueplanet gridsafe 137 TL3-S, blueplanet gridsafe 92.0 TL3-S to version V3.91 or later to remediate CVE-2025-40946.
  • Monitor network traffic for suspicious authentication attempts to KACO blueplanet devices, especially from unusual source IPs or during off-peak hours. Create firewall rules based on network_connection logs.
  • Implement multi-factor authentication for all device access to mitigate credential-based attacks.
]]>highadvisorycredential-accessvulnerabilityKACO