Think your CVE or research report should be on here? Send me a message via Linkedin.
| Date | Affected Vendor | Link to vulnerability/write-up | Credits |
| 10 September 2025 | SolaX | Linkedin-post leading to full compromise | Humza Ahmad, ENCS/DIVD |
| 9 august 2025 | Multiple, not disclosed yet. | Youtube video valid credentials available online for high priv accounts with enough access to down a nation | Willem Westerhof, Ralph Moonen, Yannick Fournel, Jasper Korten, Jasper Nota, Yurii Bilyk from Bureau veritas cybersecurity |
| 9 July 2025 | Growatt | Write-up of vulnerability leading to full compromise | Humza Ahmad, Frank Breedijk, DIVD |
| 11 June 2025 | Sungrow | write-up of vulnerability leading to full compromise | Harm van den Brink, Frank Breedijk of ENCS/DIVD |
| 27 march 2025 | SMA, Growatt, Sungrow | Detailed research report, multiple findings leading to full compromise | Stanislav Dashevskyi, Francesco La Spina, Daniel dos Santos from Forescout |
| 12 Jan 2025 | Solarman, Sunsynk, Growat, Solax, Ingecon, Foxess | youtube video Full compromise of cloud platforms + backdoors | Vangelis Stykas, from Atropos |
| 12 August 2024 | Enphase | Write-up of vulnerability unauthenticated device takeover | Wietse Boonstra and Hidde Smit from DIVD |
| 7 August 2024 | Solarman | Research report Full account compromise | Bitdefender |
| 9 August 2022 | Solarman, Ginlong Solis, Omnik, | Write-up of credentials online with cloud admin privileges | Jelle Ursem from DIVD |
How do I estimate the impact?
Most of the vulnerabilities Outlined on these page are considered “full compromise” vulnerabilities, where effectively every system of the relevant supplier was vulnerable to the attack.
In order to calculate the estimated impact in GW of this vulnerability, It’s important to take the following into account:
- Not every system is connected to the internet/cloud or additional protections may be in place that stop the attack.
- Not all systems provide their peak power at the same time, due to different orientations.
- Weather circumstances will differ across a large area making large scale attacks have a different impact in different areas.
In order to make a crude estimate of how much power was impacted by a vulnerability, simply remove 50% of the manufacturers market share data, specific to the grid you want to make the estimation for, to account for the above list of variables.
Using the above method by combining the 2018-2023 marketshare information with known vulnerabilities, it can be concluded that at the start of 2025 more than 60GW worth of PV installations in Europe were vulnerable to full compromise attacks over the internet.
Other recommend reading research:
- Research paper on shortcomings of current laws to prevent this attack
- Research paper on grid-impacting attacks via PB in the dutch grid
- Technical version of the above research paper
- Research paper on alternative electrical attacks and predicting when the grid is under stress
- Research paper on load altering attacks and limits of the grid
- Write-up of Spanish grid blackout