- German cybersecurity firm Jakkaru identifies remote firmware injection flaw enabling full system compromise.
- Over 100,000 inverters confirmed vulnerable, with wider exposure likely across 600,000 installations.
- Attack scenarios include grid disruption, device destruction and large scale cyber-attacks.
German cybersecurity firm Jakkaru has identified a critical vulnerability in solar microinverters manufactured by APsystems, raising fresh concerns about the resilience of distributed energy infrastructure.
The findings build on earlier research that exposed data leaks involving WiFi credentials, location and energy data. The newly disclosed flaw enables remote firmware injection, allowing attackers to gain full control over affected devices.
The vulnerability affects the widely deployed EZ1 M microinverter, including white label variants such as the Anker Solix Mi80. APsystems supplies microinverters alongside residential and commercial battery storage solutions and monitoring platforms, with the EZ1 M remaining one of its most commonly installed units.
Hardware analysis reveals a dual microcontroller design. An ESP32C2 chip handles cloud communication and grid interaction, while a TI C2000 microcontroller manages DC to AC power conversion. Researchers noted similarities with the DS3 series, suggesting shared architecture across multiple inverter models.
Firmware investigation showed that devices communicate via an MQTT broker using authentication derived from encrypted serial numbers encoded in Base64. The use of static keys combined with predictable serial number sequences creates a significant security weakness, enabling attackers to generate valid credentials without direct device access.
Although access controls limit communication to device specific topics and enforce single connections, Jakkaru demonstrated that these protections can be bypassed using retained MQTT messages. This allows an attacker to disconnect a legitimate inverter, inject a malicious over the air update command and force the device to install compromised firmware upon reconnection.
A proof of concept exploit confirmed the ability to alter firmware behaviour and disable future updates. Further analysis indicates that attackers could also target the secondary C2000 controller, enabling deeper control over inverter operations and increasing the risk of physical damage or grid level disruption.
Potential attack scenarios include using compromised inverters as entry points into local networks, coordinating mass shutdowns to destabilise power systems, launching distributed denial of service attacks, corrupting firmware to destroy devices and extracting sensitive user data.
Telemetry scans identified approximately 100,000 vulnerable units currently accessible. However, the total exposure is likely significantly higher, as the same communication infrastructure appears to be used across multiple APsystems product lines, including residential storage systems.
With an estimated 600,000 installations connected to the platform, the findings from Jakkaru highlight escalating cybersecurity risks in the solar sector and reinforce the need for stronger protections across distributed energy assets.
Link to the full findings HERE
Author: Bryan Groenendaal












