Forescout Flags 35,000 Exposed PV Devices, Warns of Grid Vulnerabilities

• Forescout finds 35 k solar devices online with open interfaces, exposing Europe-centric vulnerabilities just weeks after Iberian blackout; experts urge swift patching and VPN use.

Cyber-security researchers at Forescout Technologies’ Vedere Labs have mapped almost 35,000 solar-power devices—mostly inverters, data loggers and gateways—with management interfaces wide open to the public Internet, arguing that each unit represents “a reachable doorway into the grid.”

The scan, conducted on 9 May 2025 via the Shodan search engine, shows Europe accounts for 76 % of the exposed fleet, followed by Asia with 17 %. Germany and Greece together host about two-fifths of all reachable endpoints, while Japan and Portugal each harbour roughly one in ten.   Among individual products, SMA’s discontinued Sunny WebBox tops the list with 10,000 live units, trailed by Fronius inverters, SolarLog dataloggers and Contec’s SolarView Compact, the latter up 350 % in just two years.

Forescout warns that Internet exposure compounds a deeper flaw landscape: its earlier SUN:DOWN project already catalogued 46 new vulnerabilities—and more than 90 in total—across popular inverter brands such as Sungrow, Growatt and SMA. While SUN:DOWN attacks require access through vendors’ cloud portals, an open management port lets threat actors bypass that hurdle entirely, potentially hijacking voltage settings or forcing devices offline.

The alert lands amid heightened scrutiny of renewable-energy cyber-risks. Last month’s still-unexplained blackout across Spain and Portugal, which knocked out 15 GW of generation in seconds, has stirred speculation—albeit unproven—about whether misconfigured or malicious inverters played a part. Separately, European regulators are probing reports of rogue communication modules embedded in Chinese-made inverters, underscoring how quickly local device issues can scale into continental disruptions.

Forescout’s mitigation checklist is blunt: never leave inverter dashboards on the open web; patch or replace un-upgradable hardware; and, if remote access is unavoidable, place the device behind a VPN that follows CISA and NIST guidelines for smart-grid equipment. Plant operators are also urged to inventory firmware versions—SolarView Compact units, for instance, showed 27 different builds, none current—and to segment energy networks so a compromised logger cannot become a stepping-stone into critical control systems.

With solar poised to supply a quarter of Europe’s electricity by 2030, the researchers argue that basic cyber hygiene—closing ports, changing default passwords, and rolling out signed updates—will decide whether the technology remains an enabler of decarbonisation or the weak link that keeps the lights off.