Disclosure of Vulnerabilities in Fox ESS Cloud Infrastructure | Jakkaru Insights

Back to insights

Back to insights

Reading time

min read

Date

Thursday, June 11, 2026

June 11, 2026

Written by

Marlon Starkloff

Disclosure of Vulnerabilities in Fox ESS Cloud Infrastructure

Fox ESS is a global leader in smart renewable energy solutions, specializing in solar inverters, energy storage systems, and EV chargers for both residential and commercial markets. With hundreds of thousands of active devices deployed globally these systems are deeply integrated into the daily power infrastructure of homes and businesses.During a routine scan of the infrastructure of various solar inverter manufacturers, we discovered serious vulnerabilities in the infrastructure of Fox ESS. Potentially leading to the compromise of their whole infrastructure with an impact on their device fleet.<br>Initial Discovery<br>Through various methods not discussed here, we found multiple IP addresses belonging to the Kubernetes cluster of Fox ESS, on which their whole infrastructure seems to be deployed. Through a misconfiguration or poor design choice, most of the pods on this cluster expose their services directly on the host machine through multiple ports, leading to direct container access. A few services sparked our interest: multiple MySQL servers, Go profiling endpoints, a Prometheus server, and an EMQX instance.The Prometheus telemetry data was accessible from the internet and allowed us to map the whole cluster within seconds. We had access to all the information related to pods, containers, image repositories and secret names.<br>Besides Prometheus, the Go Profiling endpoint was exposed for multiple services, leading to exposed data such as the command line, allocations, and heap data.<br>Further Discoveries<br>Later on we also found an exposed Apache SkyWalking instance, an application performance monitoring system. It revealed further infrastructure details, and in some cases, user tokens inside logs.<br>Escalation<br>The most critical finding was an exposed EMQX instance which was not fully configured. Because of this, the default credentials (admin:public) were still set. Logging in revealed version 5.4.1, which is vulnerable to remote code execution.<br>An attacker could have gotten code execution on the EMQX container. Pairing this with the Kubernetes information disclosure (including IPs) turns this into a critical finding.The EMQX instance also has a MySQL database connection set up for MQTT device verification. The credentials for this database were visible in the dashboard. Connecting to the exposed MySQL instance mentioned at the beginning revealed administrative read and write access to the database. Even though this database turned out to be for testing, it still included dozens of employee testing accounts, credentials, and configurations, which might be used for further exploitation.

Later it was discovered that there were two database accounts set up with the password 123456. Again, the database was publicly accessible from the internet.<br>Impact<br>These vulnerabilities may have allowed an attacker to take control of their infrastructure, including solar and battery device management, with catastrophic results if abused. Various attack scenarios may be realized, such as device hijacking by injecting custom firmware or energy grid destabilization by systematic control of inverters and battery devices.<br>All these findings highlight missing security measures in the infrastructure design and maintenance of Fox ESS. Given that Fox ESS is highly integrated into the energy grid of various countries and manages roughly 1 million solar inverters and 1 million battery storage solutions, the security of Fox ESS is a matter of national security.<br>Disclosure<br>We reported the vulnerabilities to Fox ESS earlier this year and they were fixed within a month. Given a responsible disclosure embargo of 90 days, we are disclosing these vulnerabilities today.