Cybersecurity

ENSA-2023-1: Hard-coded credentials in Enphase Installer App (ITK) 3.27.0

Advisory ID:
ENSA-2023-1

CVSSv3:
8.6

Issue date:
2023-06-27

Updated on:
2023-06-27 (initial advisory)

CVE(s):
CVE-2023-32274

Synopsis:
Enphase Installer App 3.30.1 addresses hard-coded credentials embedded in binary code in Enphase Installer App 3.27.0

1. Impacted product

Enphase Installer App 3.27.0

2. Introduction

CISA published an advisory identifying hard-coded credentials in binary code in Enphase Installer App 3.27.0. An update is available to address this issue.

3. Summary

Description:
Enphase Installer App 3.27.0 contains hard-coded credentials in binary code that may allow an attacker to access information or write information to Enphase systems. CISA has evaluated the severity of this issue to be high with a CVSSv3 base score of 8.6.

Known attack vectors:
A malicious actor may be able to exploit the hard-coded credentials to access information or write information to Enphase systems.

Resolution:
Upgrading the Enphase Installer App 3.27.0 to 3.30.1 or newer through the Apple App store or Google Play store, and revocation of hard-coded credentials.

Workarounds:
None.

Additional documentation:
None.

Acknowledgments:
Enphase would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue.

Notes:
None.

4. References

Enphase Installer App 3.30.1 release notes
Mitre CVE dictionary
FIRST CVSSv3 calculator
ICS advisory

5. Change log

2023-06-27 ENSA-2023-1: Initial security advisory.

6. Contact and information

cybersecurity@enphase.com
Enphase security advisories
Enphase vulnerability reporting
Enphase documentation center

Services and Frequently bought products

Loading

Installation at-home consultation

Need help with installation? Start by booking an At-home Consultation with an independent installation professional to receive a quote for your custom installation.

Confirm your installation zip code:

Please confirm your installation zip code

Confirm

Great news: Enphase’s at-home EV charger installation services are available in your area.

Unfortunately, Enphase's at-home EV charger installation services are not yet available in your area. You can click here to browse electricians with EV charger expertise.

Installation at-home consultation successfully added to cart

Are you shipping to your installation address?

Yes
No

Enter your installation address:

I have read Enphase's Privacy policy and I have read and agree to Enphase's terms and conditions.
I understand that this service is fulfilled by an independent professional utilizing the Enphase O&M Marketplace’s 365 Pronto platform. I confirm that I have reviewed and accept the 365 Pronto Customer Platform Services Agreement.

The zip code entered above does not match the entered address.

Price : $

?

Add

The At-home Consultation helps determine the full cost to install your new EV charger. The $150 fee is subtracted from your final installation price if you choose to accept the quote. After check out, Enphase will send you an email from its 365 Pronto Platform describing next steps.

Know more

What is included in this price?

The At-home Consultation includes a report detailing your EV readiness, and a custom, no-obligation quote for your EV charger installation. This $150 fee is subtracted from your final installation price if you choose to accept the quote.

What are the next steps?

After you check out, Enphase will send you a confirmation email from the 365 Pronto Platform, and your installation professional will directly contact you to schedule a time for your At-home Consultation.

What is the 365 Pronto Platform?

Enphase's 365 Pronto Platform is software that dispatches independent professionals to perform renewable energy services, including EV charger installations.

How will I be charged for these services?

The charge for your At-home Consultation will be processed through Enphase's Store. If you choose to accept your installation quote, you will pay for the installation separately via the 365 Pronto Platform.

Show less

Loading