A critical security advisory (ICSA-26-160-02) has been released affecting multiple Siemens KACO blueplanet Inverters. These devices contain a logic flaw allowing attackers to derive administrative credentials solely from the device's serial number. Given that serial numbers are often visible on physical labels or easily queryable via SNMP, this significantly lowers the barrier for unauthorized access to operational technology (OT) environments. Defenders must treat this as a critical risk to power generation infrastructure and prioritize isolation and patching immediately.
Technical Analysis
Affected Products and Versions: The advisory confirms impact across several KACO blueplanet series, including:
- blueplanet 100 NX3 M8 (all versions)
- blueplanet 100 TL3 GEN2 (all versions;
intdot< 6.1.4.9) - blueplanet 105 TL3 (all versions)
- blueplanet 105 TL3 GEN2 (all versions;
intdot< 6.1.4.9) - blueplanet 110 TL3 (all versions)
- blueplanet 125 NX3 M11 (all versions)
Vulnerability Mechanics: The core issue is a weak credential generation algorithm. The devices utilize a predictable scheme where the administrative password is mathematically derived from the unit's Serial Number (S/N).
Attack Chain:
- Reconnaissance: An attacker scans the network for KACO devices or physically inspects installation sites to obtain the S/N. Alternatively, they may use SNMP
GETrequests to querysysSerialNumberif the community string is default or guessed. - Credential Derivation: Using the known algorithm (or a public tool derived from it), the attacker calculates the device's administrative password.
- Unauthorized Access: The attacker authenticates to the web interface or maintenance port, gaining full control over the inverter settings.
- Impact: This allows for operational disruption, firmware manipulation, or using the inverter as a pivot point deeper into the OT network.
Detection & Response
While we cannot deploy EDR agents on solar inverters, we can detect the precursors to exploitation on the network boundary. The following rules focus on detecting the reconnaissance phase (SNMP queries for serial numbers) and unauthorized access attempts to the management interfaces.
---
title: Potential Reconnaissance of KACO Inverters via SNMP
id: 8a4c2d10-5e67-4f12-b909-1c3e8d90f123
status: experimental
description: Detects SNMP GET requests for system serial numbers (sysSerialNumber) targeting OT subnets, often a precursor to deriving default credentials on ICS devices.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-160-02
author: Security Arsenal
date: 2026/04/21
tags:
- attack.discovery
- attack.t1018
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 161
Protocol|contains: 'udp'
filter_noise:
DestinationIpAddress|startswith:
- '192.168.'
- '10.'
- '172.16.'
condition: selection and not filter_noise
falsepositives:
- Authorized network scanning tools
- SNMP monitoring systems
level: medium
---
title: KACO Inverter Management Interface Access from Non-Admin Hosts
id: 9b5d3e21-6f78-5a23-c0a1-2d4f9e01a234
status: experimental
description: Detects inbound connections to KACO inverter management ports (typically 80/443/502) from endpoints outside the designated OT admin subnet.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-160-02
author: Security Arsenal
date: 2026/04/21
tags:
- attack.initial_access
- attack.t1190
logsource:
category: network_connection
product: windows
detection:
selection_ports:
DestinationPort:
- 80
- 443
- 502
selection_scope:
DestinationIpAddress|cidr: '192.0.2.0/24' # REPLACE WITH YOUR ICS SUBNET
filter_admin:
SourceIpAddress|cidr: '198.51.100.0/24' # REPLACE WITH YOUR ADMIN SUBNET
condition: selection_ports and selection_scope and not filter_admin
falsepositives:
- Legitimate access from unauthorized laptop
level: high
**Microsoft Sentinel / Defender KQL Hunt:**
This query hunts for SNMP traffic targeting your ICS VLANs that requests the serial number OID, a key step in the attack chain.
// Hunt for SNMP Serial Number queries to ICS Subnets
let OT_Subnets = dynamic(['10.20.0.0/16', '192.168.100.0/24']); // Define your OT ranges
DeviceNetworkEvents
| where DestinationPort == 161 // SNMP
| where ipv4_is_in_range(DestinationIPAddress, OT_Subnets)
| where RemotePort == 161
| project Timestamp, DeviceName, SourceIPAddress, DestinationIPAddress, InitiatingProcessFileName
| where InitiatingProcessFileName in~ ('snmpwalk.exe', 'snmpget.exe', 'python.exe', 'perl.exe') // Common tools for OID querying
| summarize count() by SourceIPAddress, DestinationIPAddress, bin(Timestamp, 5m)
| order by count_ desc
**Velociraptor VQL:**
Hunt for administrative workstations that may be interacting with the OT environment, checking for common network scanning tools used to identify serial numbers.
-- Hunt for process execution of SNMP tools on Admin Workstations
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE CommandLine =~ 'snmp'
OR Name =~ 'nmap'
OR Name =~ 'masscan'
OR Exe =~ '\\Tools\\'
**Remediation Verification Script (Bash):**
This script is intended for a secured Linux jump host within the management network. It attempts to identify the firmware version of exposed KACO devices to check against the vulnerable list.
#!/bin/bash
# Vulnerability Assessment Script for Siemens KACO Blueplanet Inverters
# Usage: ./check_kaco_devices.sh <subnet_cidr>
SUBNET=$1
KNOWN_VULN_PATTERNS="(blueplanet 100 NX3 M8|blueplanet 100 TL3 GEN2)"
if [ -z "$SUBNET" ]; then
echo "Usage: $0 <CIDR_RANGE>"
exit 1
fi
echo "[*] Scanning $SUBNET for KACO Inverters on port 80..."
# Using nmap to probe web server headers (requires nmap installed)
# We look for the 'Server' header which often reveals the device model
nmap -p 80 --open -oG - $SUBNET 2>/dev/null | grep "80/tcp" | awk '{print $2}' | while read ip; do
echo "[+] Checking host: $ip"
RESPONSE=$(curl -s -m 2 --connect-timeout 2 http://$ip | head -n 20)
# Simple grep for device models in the HTML title or body
if echo "$RESPONSE" | grep -qiE "blueplanet|kaco"; then
echo "[!] KACO Device Detected at $ip"
echo " Response Snippet:"
echo "$RESPONSE" | grep -iE "blueplanet|version" | head -n 3
echo " ACTION REQUIRED: Verify version against ICSA-26-160-02"
fi
done
echo "[*] Scan complete. Please verify findings against the official advisory."
Remediation
-
Apply Firmware Updates Immediately: KACO new energy GmbH has released fix versions. For devices where
intdotversions are vulnerable (e.g.,blueplanet 100 TL3 GEN2), update to versions 6.1.4.9 or later where applicable. Check the vendor advisory for specific firmware downloads for theNX3andTL3series. -
Implement Network Segmentation (Compensating Control): For devices where fixes are "not yet available," strict network segmentation is mandatory. Place inverters on an isolated VLAN. Ensure the only traffic allowed to/from these devices is strictly necessary for SCADA/monitoring protocols and originates only from authorized management stations.
-
Restrict SNMP Access: Ensure SNMP is disabled or set to use strong, non-default community strings. Block UDP port 161 from untrusted networks to prevent attackers from harvesting serial numbers remotely.
-
Physical Security: Since serial numbers are physically printed on the device, ensure physical access to inverter sites is restricted. In conjunction with the network segmentation, this mitigates the risk of local credential derivation.
Official Advisory: CISA ICSA-26-160-02
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.