Skip to content

Hoymiles Inverters: Critical Wireless Vulnerabilities Threaten PV Systems

The Bottom Line: Critical wireless vulnerabilities in hundreds of thousands of Hoymiles inverters enable remote shutdown and destruction of PV systems without authentication.

Researchers have discovered critical wireless vulnerabilities in inverters from manufacturer Hoymiles that allow attackers to remotely shut down or physically damage PV systems. Hundreds of thousands of devices installed in decentralized solar installations are affected.

The vulnerabilities affect Hoymiles inverters commonly used in small and medium-sized photovoltaic systems. Security researchers have demonstrated that the wireless protocols of these devices have significant deficiencies that enable unlimited remote control.

Specifically, attackers in the immediate vicinity of affected systems can inject commands through the wireless interface to shut down or block the inverters. In the worst case, these attacks can cause physical damage to the hardware, such as through overloads or voltage spikes. An attacker would not even need to gain access to the power grid or IT infrastructure – the wireless signal alone is sufficient.

For CISOs, this is a problem on multiple levels: First, it affects the physical infrastructure of critical energy systems. Second, many of these decentralized PV systems are part of microgrids or self-supply systems that are essential for operational continuity. Third, a mass update of hundreds of thousands of devices is logistically and coordinatorially demanding, particularly when the hardware is already deployed in the field.

For operators of solar systems, an immediate inventory of Hoymiles devices in operation is recommended, contact with the manufacturer regarding firmware updates, and a review of whether the systems are used in security-critical scenarios. The NIS2 Directive explicitly emphasizes responsibility for protecting energy infrastructure.


Source: www.heise.de · Published 7 July 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: