User Authentication Bypass in Enphase Envoy Devices
CVE-2020-25754

7.5HIGH

Key Information:

Vendor

Enphase

Status
Envoy Firmware
Vendor
CVE Published:
16 June 2021

What is CVE-2020-25754?

A critical flaw has been identified in Enphase Envoy R3.x and D4.x devices, where a custom PAM module for user authentication exposes users to potential security risks. This module circumvents traditional authentication mechanisms by utilizing a password derived from the MD5 hash of the username and serial number, the latter of which can be accessed by unauthenticated users through the /info.xml endpoint. Consequently, attempts to change user passwords using common methods such as 'passwd' are ineffective, leaving devices vulnerable to unauthorized access.

References

https://enphase.com/en-us/products-and-services/envoy-and...
x_refsource_MISC
https://stage2sec.com
x_refsource_MISC
https://medium.com/stage-2-security/can-solar-controllers...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.