The SunPower PVS6's BluetoothLE interface is vulnerable due to its use of hardcoded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device's servicing interface. This access allows the attacker to perform actions such as firmware replacement, disabling power production, modifying grid settings, creating SSH tunnels, altering firewall settings, and manipulating connected devices.
History

Tue, 02 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 02 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description The SunPower PVS6's BluetoothLE interface is vulnerable due to its use of hardcoded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device's servicing interface. This access allows the attacker to perform actions such as firmware replacement, disabling power production, modifying grid settings, creating SSH tunnels, altering firewall settings, and manipulating connected devices.
Title Use of Hard-coded Credentials in SunPower PVS6
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-09-02T17:39:59.231Z

Reserved: 2025-08-29T14:17:40.379Z

Link: CVE-2025-9696

cve-icon Vulnrichment

Updated: 2025-09-02T17:39:56.706Z

cve-icon NVD

Status : Received

Published: 2025-09-02T17:15:36.403

Modified: 2025-09-02T17:15:36.403

Link: CVE-2025-9696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.