Cybersecurity firm Jakkaru has disclosed a critical security vulnerability in microinverters manufactured by Chinese manufacturer AP Systems.
According to Jakkaru, the flaw allowed complete compromise of the devices over the internet, including the ability to selectively and simultaneously shut down systems. AP Systems patched the vulnerability after being alerted by Jakkaru.
The hack targeted the EZ1-M microinverter, which is also sold as a white-label product by companies such as Anker under the model name Solix Mi80. Jakkaru identified approximately 100,000 vulnerable devices that were accessible online. The researchers believe that a potentially larger device base, including AP Systems’ home energy storage systems, may also have been affected. Around 600,000 AP Systems installations are in use worldwide.
MQTT infrastructure attack
The researchers discovered a relatively easily hackable MQTT gateway within the inverters’ communication system. The devices transmit operating data via a cloud-based MQTT system, with authentication performed using static keys derived from the device’s serial number. Because these serial numbers are assigned sequentially, they are relatively easy to predict.
Jakkaru’s team reconstructed the authentication mechanism. In their tests, they used AI models such as Gemini Pro to reverse-engineer the firmware. This allowed them to impersonate a legitimate device on the MQTT gateway.
Jakkaru highlighted the ability to trigger firmware updates via “retained messages” in the MQTT protocol as particularly critical. Attackers can exploit this to flash malicious firmware onto the devices. In a proof-of-concept, the researchers demonstrated that this grants complete control over the inverter.
“AI systems like Gemini Pro can help find security vulnerabilities faster and more effectively,” said Marlon Starkloff, Managing Director of Jakkaru, in a chat with pv magazine. “Instead of several days of manual research, AI systems now take only a few hours. However, this also enables attackers with limited IT knowledge to cause significant damage. The barrier to entry has been lowered.”
Starkloff noted that experienced hackers likely could have discovered the vulnerability without AI, but Gemini simplified the process. Reverse engineering requires in-depth knowledge to identify certain functionalities, and AI systems are particularly well-suited for this. He estimates that compromising the AP Systems inverters would have taken about three days without AI—just one hour with AI assistance.
Entry point
In addition to the communication module, the inverters’ power electronics control components could also be targeted, potentially allowing attackers to interfere with power feed-in. According to Jakkaru, such a compromise could have several consequences, including access to Wi-Fi credentials and other information stored on the device, using compromised inverters as entry points into local networks, amassing devices for DDoS attacks, damaging devices through manipulated firmware, or even coordinating the shutdown of large numbers of inverters.
Jakkaru reported the vulnerability to AP Systems in November 2025. The manufacturer estimated it would take roughly three months to remediate, due to required adjustments to backend infrastructure. The results were published on March 4, 2026.
“AP Systems has completed a comprehensive update to its device-to-server communication security. Thanks to numerous technical improvements, all products now fully comply with European cybersecurity standards. To address gaps such as weak traditional encryption and unprotected secret keys, AP Systems devices now use a security authentication solution with unique credentials per device, effectively preventing malicious attacks and information leaks,” a spokesperson from AP Systems told pv magazine.
“Simultaneously, the system verifies unique identifiers, such as device type and MAC address, combined with the X-Sign signature verification mechanism, to ensure authentic and trustworthy requests and further enhance device access security,” the spokesperson went on to say. “This update marks a milestone in AP Systems’ cybersecurity capabilities, reinforcing the company’s leading position in product security and compliance. It enables AP Systems users in Europe and worldwide to benefit from more secure, stable, and reliable products and services.”
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.