A comprehensive cybersecurity investigation has revealed alarming vulnerabilities in the rapidly expanding solar energy infrastructure, with nearly 35,000 solar power devices found exposed to internet-based attacks across 42 vendors worldwide.
The discovery underscores growing security concerns as renewable energy systems become increasingly integrated into critical power grid infrastructure, potentially creating new pathways for malicious actors to disrupt electrical networks on a massive scale.
.webp)
The geographical distribution of these vulnerable systems presents a stark picture of global cybersecurity preparedness in the renewable energy sector.
Europe dominates the landscape of exposed devices, accounting for an overwhelming 76% of vulnerable solar power systems, followed by Asia at 17% and the remaining regions comprising just 8% of exposed installations.
Germany and Greece lead individual countries in terms of exposure, with Italy following closely behind, representing approximately 6% of the total vulnerable devices worldwide.
Forescout analysts identified these internet-exposed solar power devices using the Shodan search engine on May 9, 2025, revealing a concerning array of vulnerable equipment including inverters, data loggers, monitors, gateways, and other communication devices.
The research builds upon the cybersecurity firm’s earlier SUN:DOWN investigation, which uncovered 46 new vulnerabilities affecting solar power systems that could potentially be exploited to hijack entire fleets of inverters, representing a significant escalation in renewable energy cybersecurity threats.
Recent incidents have amplified concerns about the security posture of solar energy infrastructure.
In May, Reuters reported the discovery of rogue communication devices embedded within Chinese-manufactured solar power inverters, prompting governments worldwide to evaluate the potential consequences of remote inverter disabling capabilities.
Additionally, the Iberian peninsula experienced a massive power grid failure affecting Madrid, Lisbon, and surrounding regions, bringing airports, trains, and digital payment systems to a complete halt, though this particular incident was not attributed to cyberattacks.
The implications extend far beyond individual system compromises, as these vulnerabilities could serve as initial access vectors into sensitive networks while potentially destabilizing power grid operations.
The high penetration of renewable energy in Spain’s grid, generating approximately 70% of the country’s power shortly before the recent failure, highlights how cybersecurity vulnerabilities in solar systems could exacerbate grid instability issues already inherent in renewable energy transitions.
SolarView Compact: A Case Study in Escalating Exploitation
The CONTEC SolarView Compact devices represent a particularly troubling example of how solar power vulnerabilities can rapidly evolve from theoretical risks to active exploitation vectors.
These devices have experienced a dramatic 350% increase in internet exposure over just two years, growing from approximately 600 exposed systems in 2023 to nearly 3,000 by 2025, now representing almost 8% of all exposed solar devices globally.
The SolarView Compact systems harbor multiple critical vulnerabilities currently under active exploitation by botnet operators, including CVE-2022-29303, CVE-2022-40881, CVE-2023-23333, and CVE-2023-29919.
The first three vulnerabilities are command injection flaws, while the latter represents an insecure permission issue that collectively provide attackers with comprehensive system access capabilities.
.webp)
Analysis of the exposed devices revealed 27 unique firmware versions, with 60% running outdated versions 4.00 to 4.04, 28% operating on versions 3.01 to 3.12, and the remaining 12% using versions below 3.00, while notably, no devices were found running the latest 8.20 firmware version.
The real-world impact of these vulnerabilities became evident when 800 SolarView Compact devices were successfully hijacked in Japan and subsequently used for bank account theft operations.
Through analysis combining data from their Adversary Engagement Environment and Greynoise intelligence, Forescout researchers identified 43 unique IP addresses that have specifically targeted these solar devices within the past year.
Most of these malicious IP addresses are associated with known botnet operations or automated vulnerability scanning activities, with nine addresses identified as Tor exit nodes, primarily registered in Singapore (21%), Germany (16%), and the Netherlands (14%).
Mitigation strategies focus on fundamental network security principles, emphasizing that organizations should never expose inverter management interfaces directly to the internet, instead implementing VPN-based remote access following CISA guidelines when remote management capabilities are necessary.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
