CVE-2020-25753 – An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 so

An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. The serial number can be retrieved by an unauthenticated user at /info.xml.

 

Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25753

Reference (s):

• https://enphase.com/en-us/products-and-services/envoy-and-combiner
• https://medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661a
• https://stage2sec.com