A command injection vulnerability (CWE-73) disclosed within the software used by Locus Energy solar panels has now been patched by the company.
An ICS-CERT advisory dated December 6, 2016, Daniel Reich, an independent researcher, was credited with finding the vulnerability in several versions of the LGate solar panel. Because the web server on these vulnerable versions is exposed publicly, a remote attacker could take control of the device. Locus Energy estimates its LGate product is used primarily in North America.
CVE-2016-5782 has been assigned to this vulnerability with a base CVSS score of 8.6.
Companies using the product are urged to check to see whether they using firmware version 1.05H_EM3 or above. If not, they are urged to send an email to email@example.com with the subject line: URGENT FW UPDATE REQUEST: MAC: TO 1.05H or higher FW, according to ICS-CERT.