2023-06-27 (initial advisory)
Enphase Installer App 3.30.1 addresses hard-coded credentials embedded in binary code in Enphase Installer App 3.27.0
1. Impacted product
Enphase Installer App 3.27.0
CISA published an advisory identifying hard-coded credentials in binary code in Enphase Installer App 3.27.0. An update is available to address this issue.
Enphase Installer App 3.27.0 contains hard-coded credentials in binary code that may allow an attacker to access information or write information to Enphase systems. CISA has evaluated the severity of this issue to be high with a CVSSv3 base score of 8.6.
Known attack vectors:
A malicious actor may be able to exploit the hard-coded credentials to access information or write information to Enphase systems.
Upgrading the Enphase Installer App 3.27.0 to 3.30.1 or newer through the Apple App store or Google Play store, and revocation of hard-coded credentials.
Enphase would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue.
5. Change log
2023-06-27 ENSA-2023-1: Initial security advisory.