Advisory ID:
ENSA-2023-1
CVSSv3:
8.6
Issue date:
2023-06-27
Updated on:
2023-06-27 (initial advisory)
CVE(s):
CVE-2023-32274
Synopsis:
Enphase Installer App 3.30.1 addresses hard-coded credentials embedded in binary code in Enphase Installer App 3.27.0
1. Impacted product
Enphase Installer App 3.27.0
2. Introduction
CISA published an advisory identifying hard-coded credentials in binary code in Enphase Installer App 3.27.0. An update is available to address this issue.
3. Summary
Description:
Enphase Installer App 3.27.0 contains hard-coded credentials in binary code that may allow an attacker to access information or write information to Enphase systems. CISA has evaluated the severity of this issue to be high with a CVSSv3 base score of 8.6.
Known attack vectors:
A malicious actor may be able to exploit the hard-coded credentials to access information or write information to Enphase systems.
Resolution:
Upgrading the Enphase Installer App 3.27.0 to 3.30.1 or newer through the Apple App store or Google Play store, and revocation of hard-coded credentials.
Workarounds:
None.
Additional documentation:
None.
Acknowledgments:
Enphase would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue.
Notes:
None.
4. References
Enphase Installer App 3.30.1 release notes
Mitre CVE dictionary
FIRST CVSSv3 calculator
ICS advisory
5. Change log
2023-06-27 ENSA-2023-1: Initial security advisory.
6. Contact and information
cybersecurity@enphase.com
Enphase security advisories
Enphase vulnerability reporting
Enphase documentation center