Technology

Millions of solar power systems worldwide have critical security vulnerabilities which could be used by hackers

March 30, 2025

Insecure solar systems allow cybercriminals to steal data and ransom access
Millions of solar inverters remain vulnerable to severe cybersecurity threats
Forescout – Vedere uncover flaws allowing attackers to take full control over solar systems

The increasing use of solar power has exposed critical cybersecurity vulnerabilities in inverters, cloud computing services, and monitoring platforms, creating an insecure ecosystem where hackers can manipulate energy production, disrupt power grids, and steal sensitive data, posing serious risks to global energy infrastructure, experts have warned.

A study by Forescout – Vedere Labs identified 46 new vulnerabilities across three major solar inverter manufacturers, including Sungrow, Growatt, and SMA. Previous findings showed that 80% of reported vulnerabilities were high or critical in severity, with some reaching the highest CVSS scores.

Over the past three years, an average of 10 new vulnerabilities have been disclosed annually, with 32% carrying a CVSS score of 9.8 or 10, indicating that attackers could fully compromise affected systems.

Millions of solar power systems face security risks

Many solar inverters connect directly to the internet, making them easy targets for cybercriminals. Attackers can exploit outdated firmware, weak authentication mechanisms, and unencrypted data transmissions to gain control.

Exposed APIs allow hackers to enumerate user accounts, reset credentials (ideally stored in password managers) to default values, and manipulate inverter settings, leading to power disruptions.

Additionally, insecure object references and cross-site scripting (XSS) vulnerabilities could expose user emails, physical addresses, and energy consumption data, violating privacy regulations such as GDPR.

Beyond grid instability, compromised inverters create further risks, including data theft, financial manipulation, and smart home hijacking – some vulnerabilities allow attackers to take control of electric vehicle chargers and smart plugs.

Cybercriminals could also alter inverter settings to influence energy prices or demand ransom payments to restore system functionality. As a result, the report recommends that manufacturers should prioritize patches, adopt secure coding practices, and conduct regular penetration testing.

Implementing Web Application Firewalls (WAFs) and adhering to cybersecurity frameworks like NIST IR 8259 could help mitigate risks.

Regulators are also urged to classify solar inverters as critical infrastructure and enforce security standards such as ETSI EN 303 645 to ensure compliance with best practices.

For solar system owners and operators, securing installations requires isolating solar devices on separate networks, enabling security monitoring, and following guidelines from organizations like the U.S. Department of Energy to reduce risks.

Installing the best antivirus software adds an extra layer of defense against threats, while deploying the best endpoint protection solutions further safeguards connected devices from cyberattacks targeting solar infrastructure.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar