CISA advisory ICSA-26-160-02 discloses two vulnerabilities in Siemens KACO Blueplanet solar inverters: a hard-coded credential flaw (CVE-2025-40946, CVSS 8.3) that allows any attacker to derive valid Technical Service credentials from a device serial number, and an SQL injection privilege escalation (CVE-2026-41125, CVSS 6.0). No vendor patch exists for the majority of affected devices, making compensating controls the only remediation path for 30-plus globally deployed inverter models in energy sector critical infrastructure.