An analysis conducted recently by researchers at cybersecurity firm Forescout showed that roughly 35,000 solar power systems are exposed to the internet and potentially vulnerable to remote attacks.
Forescout has found more than 90 vulnerabilities in solar power products over the past years, including 46 flaws in Sungrow, Growatt and SMA Solar Technology products that were disclosed earlier this year as part of a project dubbed ‘SUN:DOWN’.
While those vulnerabilities could pose a significant threat to electrical grids, their exploitation involved access to cloud management systems rather than the actual device’s management interface.
Forescout’s latest solar-focused research has looked at the internet exposure of management interfaces associated with inverters and other solar systems.
Using the Shodan search engine, the security firm’s researchers identified approximately 35,000 internet-exposed management interfaces. More than 12,000 of those were associated with devices made by Germany-based SMA.
The top 10 list also includes devices from Fronius International, Solare Datensysteme, Contec, Sungrow, Kostal Solar, Kaco New Energy, Growatt, and Sinapsi.
While the internet-exposed devices were located all around the world, more than three-quarters were in Europe, followed by Asia at 17%.
The five most commonly seen products were SMA Sunny Webbox (approximately 10,000 devices), Fronius inverters (4,000), Solare Datensysteme SolarLog (3,000), Contec’s SolarView Compact (2,000), and Sungrow WiNet and Logger1000 (2,000).
In the case of the SMA device, a decade ago there were roughly 80,000 exposed devices, but the number dropped to 10,000 after other researchers warned the vendor about a severe vulnerability.
For other products, such as SolarView Compact, the number of devices exposed online increased from 600 in 2023 to over 2,000 in 2025.
The fact that these solar systems are exposed to the internet does not automatically mean that they can be hacked. However, many of them could be plagued by vulnerabilities that expose them to remote attacks, and vendors often encourage customers to ensure that the devices are not exposed to the web.
The threat is not only theoretical. The SolarView Compact product, for instance, is affected by at least three vulnerabilities that have been exploited in the wild by botnets.
In the case of the SolarView devices seen by Forescout, none of them were running the latest firmware version.
“Exploiting these devices with exposed management interfaces would likely have a lower impact on the grid, since they are largely outnumbered by the devices in SUN:DOWN that are managed via manufacturers’ clouds,” Forescout researchers explained in their report. “Nevertheless, they can serve as initial access vectors into potentially sensitive networks.”
Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
October 27-30, 2025 | Atlanta
www.icscybersecurityconference.com
Related: Vulnerabilities Exposed Widely Used Solar Power Systems to Hacking, Disruption
Related: 1,000 Instantel Industrial Monitoring Devices Possibly Exposed to Hacking
