CVE-2025-9696 CRITICAL

CVE-2025-9696: Use of Hard-coded Credentials in SunPower PVS6

Vendor Sunpower
Product PVS6
Weakness CWE-798 · Hardcoded credentials
Published September 2, 2025
Last update September 2, 2025

CVSS base score

9.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

The SunPower PVS6's BluetoothLE interface is vulnerable due to its use of hardcoded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device's servicing interface. This access allows the attacker to perform actions such as firmware replacement, disabling power production, modifying grid settings, creating SSH tunnels, altering firewall settings, and manipulating connected devices.

Key dates

02Disclosure timeline

September 2, 2025 CVE published
September 2, 2025 Record updated