Researchers from Forescout Technologies‘ Vedere Labs analyzed 35,000 solar power devices, including inverters, data loggers, monitors, gateways, and other communication equipment, which have internet-exposed management interfaces. Their goal was to highlight specific assets and assess geolocated risk. Europe emerged as the clear leader, accounting for 76 percent of the exposed solar power devices. One notable finding was that CONTEC SolarView Compact devices saw a 350 percent increase in internet exposure over the past two years.
On Tuesday, Forescout disclosed that the top vendors identified are SMA Solar Technology, Fronius International, Solare Datensysteme, Contec, Sungrow, Kostal Solar, Kasco New Energy, Growatt, Sinapsi, and others. Besides the fact that the three vendors analyzed in SUN:DOWN, SMA, Sungrow, and Growatt, appear on the list, Forescout noted that devices from these vendors have had vulnerabilities disclosed over the past decade. However, the top ten vendors with exposed devices are not the same as the top ten vendors worldwide based on market share. Major players like Huawei and Ginlong Solis are notably absent.
The geographic distribution of these vendors is also telling. Four are headquartered in Germany, two in China, and one each in Austria, Japan, the U.S., and Italy. The distribution does not align with the global market share rankings, where nine of the top ten vendors are based in China.
This follows closely on the heels of Forescout’s March disclosure, which revealed exposed vulnerabilities in solar power systems after analyzing six major solar inverter manufacturers, including Huawei, Sungrow, Ginlong Solis, Growatt, GoodWe, and SMA Solar Technology. The SUN:DOWN research revealed that Sungrow, SMA, and Growatt have nearly 50 vulnerabilities that could disrupt the power grid and lead to blackouts. At that time, the researchers identified 93 known vulnerabilities, with 80 percent classified as high or critical severity, having a CVSS score ranging from 9.8 to 10.
Last month, U.S. energy officials were said to be reassessing the risks tied to Chinese-made components in renewable energy systems after suspicious communication equipment was found in some devices. At the same time, the World Economic Forum (WEF) flagged heightened concerns over critical infrastructure security following a widespread blackout in Spain and Portugal, which prompted early speculation about a possible cyberattack.
Another interesting highlight from the latest Forescout research was that Internet-exposed solar power devices are much more popular in Europe and Asia than in other regions. Europe accounts for over three-quarters of exposed devices, followed by 17 percent in Asia and the remaining 8 percent in the rest of the world. Germany and Greece each account for 20 percent of the total devices worldwide, followed by Japan and Portugal with 9 percent each, then Italy with 6 percent.
The Vedere Labs team detailed that SMA Sunny WebBox devices have always been among the most exposed solar devices. “Researchers found a hard-coded account vulnerability on those devices in 2015 and worked with the vendor to remove some devices from the Internet. In December 2014, they had noticed 80,000 exposed devices, which had decreased to 9,500 in September 2015.”
Almost a decade later, the researchers disclosed using the same query that the number has increased to over 13,000. “However, many of those are now honeypots. Using a more precise query to filter out honeypots yields 10,953 results. This accounts for 33% of all exposed devices. It is important to note that the WebBox product was discontinued in 2015.”
Researchers also highlighted the SolarView Compact, where 800 of these devices were hijacked in Japan last year and used for bank account theft. In 2023, before the attack, the researchers found around 600 of these on Shodan. In 2025, after the attack, they see close to 3,000, a growth of more than 350 percent in two years, representing almost eight percent of exposed devices.
SolarView Compact devices have known vulnerabilities that are actively being exploited by botnets, including CVE-2022-29303, CVE-2022-40881, CVE-2023-23333 and CVE-2023-29919. The first three are command injection flaws, while the last involves insecure permissions.
“We saw 27 unique firmware versions of SolarView Compact devices exposed online. 60% of devices were running versions 4.00 to 4.04; 28% ran versions 3.01 to 3.12; the remaining 12% ran versions below 3.00. No device was running the latest versions (8.20),” according to the researchers. “Merging data from our Adversary Engagement Environment and Greynoise, we identified 43 IP addresses that have targeted these devices in the past year. Most of those addresses are known to be involved with botnet operations or scanning the internet for vulnerable devices. Nine addresses are Tor exit nodes. Most of the IP addresses are registered in Singapore (21%), Germany (16%), and the Netherlands (14%).”
Forescout notes that although exploits targeting solar power systems are increasingly being embedded in botnets and gaining media attention, thousands of these devices remain exposed online and frequently unpatched, leaving them vulnerable to hijacking by threat actors. “Exploiting these devices with exposed management interfaces would likely have a lower impact on the grid, since they are largely outnumbered by the devices in SUN:DOWN that are managed via manufacturers’ clouds. Nevertheless, they can serve as initial access vectors into potentially sensitive networks.”
The main risk mitigation recommendations for organizations and owners of solar installations include patching devices as soon as possible and considering the retirement of any devices that cannot be patched. Additionally, management interfaces should not be exposed to the internet. If remote management is necessary, the device should be placed behind a VPN, and CISA’s guidelines for secure remote access should be followed.
Beyond that, follow the NIST guidelines for the cybersecurity of smart inverters in residential and commercial installations and the DOE recommendations.
