CVE-2020-25753

An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. The serial number can be retrieved by an unauthenticated user at /info.xml...

CVE-2020-25755

CVE-2020-25755 affects Enphase Envoy R3.x, D4.x (and other current devices). The issue is in the upgrade_start function (in /installer/upgrade_start), which allows remote authenticated users to execute arbitrary commands via the force parameter. Impact is described as remote command execution wit...

CVE-2020-25753

The CVE-2020-25753 entry concerns Enphase Envoy R3.x and D4.x devices running v3 software. The issue arises from a default admin password set to the last 6 digits of the serial number, and the serial number is retrievable by an unauthenticated user at /info.xml. This combination creates a credent...

CVE-2020-25752

The CVE-2020-25752 entry concerns Enphase Envoy R3.x and D4.x devices with hardcoded web-panel login passwords for the installer and Enphase accounts. The passwords are derived from the MD5 hash of the username and serial number mixed with static strings, and the serial number can be retrieved by...