Siemens KACO blueplanet inverters are affected by multiple vulnerabilities that could allow an attacker to derive technical service credentials from the device serial number using a CRC16-based algorithm (CVE-2025-40946, CVSS 8.3). Additionally, an SQL injection vulnerability (CVE-2026-41125) in the KACO Meteor server could allow an authorized attacker to elevate privileges over a local network. These vulnerabilities impact a wide range of blueplanet inverter models, including NX3, TL3, and gridsafe series, with versions all/* or specific versions below patched releases. Siemens has released updates for several affected products, while fixes for others are in preparation. As a critical infrastructure component deployed worldwide in the energy sector, these vulnerabilities pose risks to grid reliability. CISA and Siemens recommend applying security updates, using VPNs, and following defense-in-depth strategies.

Key facts

• CVE-2025-40946: CRC16-based algorithm allows deriving technical service credentials from serial number.
• CVE-2026-41125: SQL injection in KACO Meteor server enables privilege escalation.
• Affects multiple blueplanet inverter models including NX3, TL3, and gridsafe series.
• Siemens released updates; some fixes are still in preparation.
• Deployed worldwide in energy sector; mitigation includes updates, VPNs, and network segmentation.

KeyAudit data perspective