Skip to the content.

DIVD-2024-00011 - Six vulnerabilities in Enphase IQ Gateway devices

Our reference DIVD-2024-00011
Case lead Frank Breedijk
Author
Researcher(s)
CVE(s)
Products
  • Enphase IQ Gateway devices (formerly known as Enphase Envoy)
Versions
  • CVE-2024-21876, CVE-2024-21877, CVE-2024-21878, and CVE-2024-21879 - v8 < v8.2.4225, v7, v6, v5 and v4
  • CVE-2024-21880 - v7, v6, v5 and v4
  • CVE-2024-21881 - v5 and v4
Recommendation Do not expose your Enphase equipment to untrusted networks (e.g. the internet or a visitor network). If internet connectivity is needed, place the device behind a NAT gateway.
Patch status Patches available
Status Open
Last modified 10 Aug 2024 19:57 CEST

Summary

DIVD researchers Wietse Boonstra and Hidde Smit have discovered six critical vulnerabilities in Enphase IQ Gateway devices (formerly known as Enphase Envoy). The vulnerabilities are present in version 4.x to 8.x. Version 8.2.4225 and later are patched. The first three can be combined into an Unauthenticated Remote Command Execution attack. For older (v7.x and older) devices, the password may be a weak default or calculatable based on the serial number which can be remotely read (See CVE-2020-25754). With these vulnerabilities, attackers could take control over the Enphase IQ Gateway device.

What you can do

We recommend that you do not expose your Enphase IQ Gateway device to an untrusted network. As long as these vulnerabilities are unpatched, your device can be taken over remotely. We recommend that you do not (re)expose you device after it has been patched by Enphase, to protect against future vulnerabilities.

You cannot upgrade the firmware of the Envoy IQ Gateway yourself. This is managed by Enphase. Enphase has released patches for five of these vulnerabilities which has made exploitation of the remaining cve (CVE-2024-21878) impossible using any of the other CVEs.

What we are doing

DIVD has responsibly disclosed the vulnerability to Enphase, which has remediated the vulnerabilities. Now, DIVD is collaborating with Enphase to find vulnerable and exposed Envoy IQ Gateways worldwide in order to assist with the patching process.

Timeline

Date Description
11 Apr 2024 Wietse Boonstra and Hidde Smit report six vulnerabilities to DIVD CSIRT
17 Apr 2024 Vendor notified via email to cybersecurity (at) enphaseenergy.com and cybersecurity (at) enphase.com and via ticket 16059299
18 Apr 2024 Vendor has acknowledge receipt of the vulnerability
17 Apr 2024-
18 Apr 2024
Time to acknowledge
18 Apr 2024 1st meeting between DIVD researchers and vendor
18 Apr 2024-
12 Jul 2024
Time to patch
18 Apr 2024-
12 Jul 2024
DIVD and Enphase work together
12 Jul 2024 Enphase reports that vulnerabilities are patched. Finders have validated the fixes. Enphase starts updating devices.
12 Jul 2024 DIVD starts scanning for vulnerable Envoy devices to assist with prioritizing patch process.
18 Apr 2024-
10 Aug 2024
Time to limited disclosure
10 Aug 2024 Limited disclosure of CVEs by Enphase
10 Aug 2024 Limited disclosure of CVEs by DIVD following Enphase disclosure
gantt title DIVD-2024-00011 - Six vulnerabilities in Enphase IQ Gateway devices dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00011 - Six vulnerabilities in Enphase IQ Gateway devices (still open) :2024-04-11, 2024-12-10 section Events Wietse Boonstra and Hidde Smit report six vulnerabilities to DIVD CSIRT : milestone, 2024-04-11, 0d Vendor notified via email to cybersecurity (at) enphaseenergy.com and cybersecurity (at) enphase.com and via ticket 16059299 : milestone, 2024-04-17, 0d Vendor has acknowledge receipt of the vulnerability : milestone, 2024-04-18, 0d Time to acknowledge (1 days) : 2024-04-17, 2024-04-18 1st meeting between DIVD researchers and vendor : milestone, 2024-04-18, 0d Time to patch (85 days) : 2024-04-18, 2024-07-12 DIVD and Enphase work together (85 days) : 2024-04-18, 2024-07-12 Enphase reports that vulnerabilities are patched. Finders have validated the fixes. Enphase starts updating devices. : milestone, 2024-07-12, 0d DIVD starts scanning for vulnerable Envoy devices to assist with prioritizing patch process. : milestone, 2024-07-12, 0d Time to limited disclosure (114 days) : 2024-04-18, 2024-08-10 Limited disclosure of CVEs by Enphase : milestone, 2024-08-10, 0d Limited disclosure of CVEs by DIVD following Enphase disclosure : milestone, 2024-08-10, 0d

More information