CVE-2025-9696 | THREATINT

Description

The SunPower PVS6's BluetoothLE interface is vulnerable due to its use of hardcoded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device's servicing interface. This access allows the attacker to perform actions such as firmware replacement, disabling power production, modifying grid settings, creating SSH tunnels, altering firewall settings, and manipulating connected devices.

PUBLISHED Reserved 2025-08-29 | Published 2025-09-02 | Updated 2025-09-02 | Assigner icscert

CRITICAL: 9.4CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-798 Use of Hard-coded Credentials

Product status

Default status

unaffected

Any version

affected

Credits

Dagan Henderson finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-245-03 government-resource

cve.org (CVE-2025-9696)

nvd.nist.gov (CVE-2025-9696)

Download JSON