CVE-2020-25752

Name of the Vulnerable Software and Affected Versions: Enphase Envoy versions R3.x and D4.x

Description: An issue was discovered where hardcoded web-panel login passwords for the installer and Enphase accounts are derived from the MD5 hash of the username and serial number mixed with static strings. The serial number can be retrieved by an unauthenticated user at the "/info.xml" API endpoint. These passwords can be easily calculated by an attacker, and users are unable to change them.

Recommendations: For Enphase Envoy versions R3.x and D4.x, consider disabling the web-panel login feature until a patch is available to prevent exploitation. Restrict access to the "/info.xml" API endpoint to minimize the risk of serial number retrieval. Avoid using the hardcoded passwords for the installer and Enphase accounts until the issue is resolved.