The Security Risks of Internet-Exposed Solar Power Systems

Risks lurking in solar power systems have been in the headlines recently.

On May 14, Reuters reported  rogue communication devices were found in Chinese-manufactured solar power inverters. That news prompted governments throughout the world to evaluate the potential impact of these inverters being remotely disabled.

Also, last month, the Iberian peninsula experienced a massive power grid failure where societies in Madrid, Lisbon and all over the region were deeply affected by a blackout. Life came to a sudden halt. Airports shutdown. Trains stopped in the middle of nowhere. Traffic lights were out. Digital payment systems to buy food and water were useless. It was a chaotic and stressful time.

It likely wasn’t a cyber attack that caused this power failure, but media headlines and public statements from governments made it clear what security professionals already know: there are known vulnerabilities in the grid and attackers could exploit them to achieve a similar blackout effect.

One of the main issues currently being investigated is whether the high penetration of renewable energy in Spain’s grid – around 70% of power generated in the country shortly before the failure was from renewables – could have led to or exacerbated the grid failure.

Our own Rik Ferguson, VP of Security Intelligence, wrote about the outage and the nuance that underscores today’s technology challenges in renewables, despite their known environmental benefits:

“Our electricity grid was originally designed around fossil fuel and then nuclear plants, which rely on big, heavy turbines. These turbines spin continuously and create something called mechanical inertia, their size and weight help keep the grid stable. When small disturbances happen, like a storm, turbines act like shock absorbers, smoothing out the bumps,” Ferguson says in his LinkedIn post.

“But modern renewable sources like solar panels and wind farms don’t use turbines, they use inverters. Most of today’s systems use Grid Following (GFL) inverters, which simply track the grid’s frequency instead of resisting sudden changes. They follow, but they don’t lead. That means the grid loses the natural stabilizing force turbines once provided.”

Ferguson goes on to recommend a two-fold solution using “synthetic inertia” and grid-forming inverters that can actively stabilize the grid.

 

Our Research on Solar Power Systems Vulnerabilities

Forescout Research – Vedere Labs recently published SUN:DOWN, a set of 46 new vulnerabilities affecting solar power systems that could be exploited to hijack a fleet of inverters. Since these systems are rapidly becoming essential elements of power grids throughout the world, this represents a growing risk to grid stability.

We didn’t discuss in that report the issue of solar power systems with internet-exposed administrative interfaces. That was for a simple reason: Since the SUN:DOWN vulnerabilities could be exploited via cloud management systems, they did not need inverter management interfaces to be exposed.

That does not mean that solar power devices with exposed management interfaces are not a problem. They are, as these devices may be susceptible to other vulnerabilities, which we catalogued in the SUN:DOWN report, including some that are known to be exploited by botnets.

In this blog, we detail almost 35,000 of these devices found using the Shodan search engine, some indicators of compromise related to their exploitation and mitigation recommendations.

 

Internet-Exposed Solar Power Systems

Using Shodan, we identified almost 35,000 solar power devices from 42 vendors with exposed management interfaces on May 9, 2025. These devices include inverters, data loggers, monitors, gateways and other communication equipment.

The most popular vendors are shown in the figure below. Besides the fact that the three vendors analyzed in SUN:DOWN are in that list (SMA, Sungrow and Growatt), there are some other interesting facts:

• Devices from all the top 10 vendors in that list have had vulnerabilities disclosed in the past decade.
• The top 10 vendors with exposed devices are not the same as the top 10 vendors in the world based on market share. Notable omissions include Huawei and Ginlong Solis.
• Four of the top 10 vendors with exposed devices are headquartered in Germany, two in China and one each in Austria, Japan, US and Italy. This distribution also does not match the top 10 vendors worldwide by market share, since 9 of those are Chinese.

Internet-exposed solar power devices are much more popular in Europe and Asia than in other regions. Europe accounts for over three-quarters of exposed devices, followed by 17% in Asia and the remaining 8% in the rest of the world. Germany and Greece each account for 20% of the total devices worldwide, followed by Japan and Portugal with 9% each then Italy with 6%. The heatmap below shows the distribution of those devices in the rest of the world.

The five most popular products account for more than 70% of exposed devices, as shown below.

SMA Sunny WebBox devices have always been among the most often exposed solar devices. Researchers found a hard-coded account vulnerability on those devices in 2015 and worked with the vendor to remove some devices from the Internet. In December 2014, they had noticed 80,000 exposed devices, which had decreased to 9,500 in September 2015. Almost a decade later, using the same query that number has increased to over 13,000. However, many of those are now honeypots. Using a more precise query to filter out honeypots yields 10,953 results. This accounts for 33% of all exposed devices. It is important to note that the WebBox product was discontinued in 2015

The other very interesting device in this list is the SolarView Compact. Eight hundred (800) of these devices were hijacked in Japan last year and used for bank account theft. Researchers in 2023 – before the attack – found around 600 of these on Shodan. In 2025 – after the attack – we see close to 3,000, a growth of more than 350% in two years. They now represent almost 8% of exposed devices.

Being exposed on the internet is usually not an inherent vulnerability of a device, but the result of users configuring port forwarding, something that is discouraged by vendors. SMA, for instance, has a cybersecurity guideline which states that these devices should be “behind the fence,” i.e. inaccessible from the public internet.

Some devices have relevant vulnerabilities, though.

SolarView Compact devices are known to contain vulnerabilities under active exploitation by botnets: CVE-2022-29303, CVE-2022-40881, CVE-2023-23333 and CVE-2023-29919. The three first vulnerabilities are command injections and the last is an insecure permission issue.

We saw 27 unique firmware versions of SolarView Compact devices exposed online. 60% of devices were running versions 4.00 to 4.04; 28% ran versions 3.01 to 3.12; the remaining 12% ran versions below 3.00. No device was running the latest versions (8.20).

Merging data from our Adversary Engagement Environment and Greynoise, we identified 43 IP addresses that have targeted these devices in the past year (listed under IoCs at the end of this blog). Most of those addresses are known to be involved with botnet operations or scanning the internet for vulnerable devices. Nine addresses are Tor exit nodes. Most of the IP addresses are registered in Singapore (21%), Germany (16%) and the Netherlands (14%).

Conclusion and Mitigation Recommendations

Even if exploits to solar power systems are starting to become embedded in botnets and if attacks are starting to make headlines, we still see thousands of these devices exposed online and often unpatched, opening them up to being hijacked by threat actors.

For a full discussion about the impact of vulnerable solar power equipment, see our SUN:DOWN report. Exploiting these devices with exposed management interfaces would likely have a lower impact on the grid, since they are largely outnumbered by the devices in SUN:DOWN that are managed via manufacturers’ clouds. Nevertheless, they can serve as initial access vectors into potentially sensitive networks.

The main risk mitigation recommendations for organizations and owners of solar installations are:

• Patch devices as soon as possible and consider retiring those that for some reason cannot be patched.
• Do not expose these management interfaces to the internet. If a device needs to be managed remotely, consider placing it behind a VPN and follow CISA’s guidelines for remote access.

Beyond that, follow the NIST guidelines for the cybersecurity of smart inverters in residential and commercial installations and the DOE recommendations for industrial installations.

For Contec Solarview vulnerabilities (CVE-2022-29303, CVE-2022-40881, CVE-2023-23333 and CVE-2023-29919), see these patches. All vendors mentioned in this report have been contacted.

 

IoCs

The indicators of compromise (IoCs) below are available on the Forescout Vedere Labs threat feed.

3.0.227[.]168

8.218.168[.]197

18.138.1[.]114

18.138.68[.]225

34.155.112[.]225

34.155.165[.]49

34.155.184[.]19

41.193.168[.]37

45.66.35[.]33

45.84.107[.]17

45.95.147[.]253

46.19.139[.]130

46.249.32[.]2

47.128.167[.]47

47.128.192[.]115

47.128.87[.]232

52.58.29[.]62

52.74.236[.]95

54.151.252[.]177

89.36.231[.]128

103.195.202[.]5

103.77.207[.]24

109.196.165[.]138

139.162.170[.]160

139.59.223[.]9

146.19.24[.]76

162.158.118[.]145

172.104.130[.]164

172.71.24[.]191

178.46.162[.]15

185.112.83[.]125

185.118.79[.]98

185.220.100[.]247

185.220.101[.]30

185.220.101[.]31

187.87.131[.]9

192.110.166[.]214

192.42.116[.]208

192.42.116[.]209

192.42.116[.]216

193.189.100[.]200

198.135.52[.]148

213.209.150[.]108