Use of Hard-coded Credentials in SunPower PVS6
CVE-2025-9696

9.4CRITICAL

Key Information:

Vendor: Sunpower
Status: Pvs6
Vendor: CVE Published:; 2 September 2025

What is CVE-2025-9696?

The SunPower PVS6's BluetoothLE interface is vulnerable due to its use of hardcoded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device's servicing interface. This access allows the attacker to perform actions such as firmware replacement, disabling power production, modifying grid settings, creating SSH tunnels, altering firewall settings, and manipulating connected devices.

Affected Version(s)

PVS6 0 <= 2025.06 build 61839

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-2...

government-resource

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 2, 2025
Vulnerability Reserved
Aug 29, 2025

Credit

Dagan Henderson

Sunpower

What is CVE-2025-9696?

Affected Version(s)

References

CVSS V4

Timeline

Credit