Cybersecurity

ENSA-2023-1: Hard-coded credentials in Enphase Installer App (ITK) 3.27.0

Advisory ID:
ENSA-2023-1

CVSSv3:
8.6

Issue date:
2023-06-27

Updated on:
2023-06-27 (initial advisory)

CVE(s):
CVE-2023-32274

Synopsis:
Enphase Installer App 3.30.1 addresses hard-coded credentials embedded in binary code in Enphase Installer App 3.27.0


1. Impacted product

Enphase Installer App 3.27.0

2. Introduction

CISA published an advisory identifying hard-coded credentials in binary code in Enphase Installer App 3.27.0. An update is available to address this issue.

3. Summary

Description:
Enphase Installer App 3.27.0 contains hard-coded credentials in binary code that may allow an attacker to access information or write information to Enphase systems. CISA has evaluated the severity of this issue to be high with a CVSSv3 base score of 8.6.

Known attack vectors:
A malicious actor may be able to exploit the hard-coded credentials to access information or write information to Enphase systems.

Resolution:
Upgrading the Enphase Installer App 3.27.0 to 3.30.1 or newer through the Apple App store or Google Play store, and revocation of hard-coded credentials.

Workarounds:
None.

Additional documentation:
None.

Acknowledgments:
Enphase would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue.

Notes:
None.

4. References

Enphase Installer App 3.30.1 release notes
Mitre CVE dictionary
FIRST CVSSv3 calculator
ICS advisory

5. Change log

2023-06-27 ENSA-2023-1: Initial security advisory.

6. Contact and information

cybersecurity@enphase.com
Enphase security advisories
Enphase vulnerability reporting
Enphase documentation center