The micro-inverters from the manufacturer Deye, which are used in numerous balcony power plants and in Germany also in the mini-PV range of the discounter Netto in the form of the SUN600G3-EU-230 inverter with 2 MPP trackers are used, have a security gap that so far could only be closed manually via an update.
Access via the access point cannot be switched off< /h2>
However, Deye has now announced that the firmware update will be automatically installed on all inverters that are connected to the Internet for at least 30 minutes. The vulnerability in the inverter's WiFi logger, which connects to Solarman servers to log electricity production, prevents users from turning off the built-in WiFi access point and changing the default key 12345678. Although the key can be changed in the firmware versions MW3_15U_5406_1.47 and MW3_15U_5406_1.471, it was not saved permanently. Only firmware MW3_16U_5406_1.53 can remedy this.
Update no longer only for support requests
Although the vulnerability has been known since January 2023, there has not yet been an automatic delivery to inverters connected to the Internet, but users had to request the firmware update from Deye by e-mail – an answer then sometimes took 14 days. For a few days now, however, the update should be installed automatically. If the inverter is not yet connected to the Internet, it is therefore advisable to connect it to the Internet at least temporarily via a guest WLAN and wait until the firmware update has been installed automatically. Which firmware version the Deye inverter is currently using can be viewed on the device's web interface or on the Solarman platform in the browser.
Update also necessary for offline operation
All owners of a Deye inverter should import the update, even if the device is not permanently connected to the Internet, as other people are in the Log in at any time via the access point and, if necessary, also be able to access the access data for the user's WLAN. The vulnerability in the Deye inverters has now been given the CVE number CVE-2023-0808.
The inverters sold in Germany under the Bosswerk and Revolt brands are also Deye affected.