IT security firm Jakkaru has identified a vulnerability in AP Systems microinverters that could enable a ‘kill switch’ scenario, potentially shutting down tens of thousands of inverters simultaneously and disrupting grid operations.
Cybersecurity company Jakkaru has disclosed a critical security flaw in microinverters manufactured by Chinese manufacturer AP Systems.
According to Jakkaru, the flaw allowed the devices to be completely compromised over the Internet, including the ability to shut down systems selectively and simultaneously. AP Systems patched the vulnerability after being alerted by Jakkaru.
The hack targeted the EZ1-M microinverter, which is also sold as a white-label product by companies like Anker under the model name Solix Mi80. Jakkaru identified approximately 100,000 vulnerable devices that were accessible online. The researchers believe that a potentially larger device base, including AP Systems’ home energy storage systems, may also have been affected. There are approximately 600,000 AP Systems installations in use worldwide.
MQTT infrastructure attack
The researchers discovered a relatively easy-to-hack MQTT gateway within the inverters’ communications system. The devices transmit corporate data via a cloud-based MQTT system, with authentication performed using static keys derived from the device’s serial number. Because these serial numbers are assigned sequentially, they are relatively easy to predict.
Jakkaru’s team reconstructed the authentication mechanism. In their tests, they used AI models such as Gemini Pro to reverse engineer the firmware. This allowed them to pose as a legitimate device on the MQTT gateway.
Jakkaru highlighted the ability to trigger firmware updates via “saved messages” in the MQTT protocol as particularly crucial. Attackers can take advantage of this to flash malicious firmware on the devices. In a proof-of-concept, the researchers showed that this provides complete control over the inverter.
“AI systems like Gemini Pro can help find security vulnerabilities faster and more effectively,” said Marlon Starkloff, Managing Director of Jakkaru, speaking to pv magazine. “Instead of several days of manual investigation, AI systems now only take a few hours. However, this also allows attackers with limited IT knowledge to cause significant damage. The barrier to entry has been lowered.”
Starkloff noted that experienced hackers probably could have discovered the vulnerability without AI, but Gemini simplified the process. Reverse engineering requires in-depth knowledge to identify certain functionalities, and AI systems are particularly suitable for this. He estimates that without AI, compromising AP Systems’ inverters would have taken about three days – just an hour with AI assistance.
Entry point
In addition to the communication module, the control components of the inverters’ power electronics can also be targeted, potentially allowing attackers to disrupt the power supply. According to Jakkaru, such a compromise could have several consequences, including accessing Wi-Fi credentials and other information stored on the device, using compromised inverters as access points to local networks, harvesting devices for DDoS attacks, damaging devices through manipulated firmware, or even coordinating the shutdown of large numbers of inverters.
Jakkaru reported the vulnerability to AP Systems in November 2025. The manufacturer estimated that the recovery would take approximately three months, due to the required changes to the backend infrastructure. The results were published on March 4, 2026.
“AP Systems has completed a comprehensive update to its device-to-server communications security. Thanks to numerous technical improvements, all products are now fully compliant with European cybersecurity standards. To address gaps such as weak traditional encryption and unprotected secret keys, AP Systems devices now use a security authentication solution with unique credentials per device, effectively preventing malicious attacks and information leaks,” an AP Systems spokesperson told pv magazine.
“At the same time, the system verifies unique identifiers, such as device type and MAC address, combined with the X-Sign signature verification mechanism, to ensure authentic and reliable requests and further improve device access,” the spokesperson continued. “This update marks a milestone in AP Systems’ cybersecurity capabilities and strengthens the company’s leadership position in product security and compliance. It enables AP Systems users in Europe and worldwide to benefit from more secure, stable and reliable products and services.”
This content is copyrighted and may not be reused. If you would like to collaborate with us and reuse some of our content, please contact: editors@pv-magazine.com.
Popular content
