A command injection vulnerability in Locus Energy's LGate application could be exploited remotely, according to an advisory (ICSA-16-231-01) from ISC-CERT.
The bug could enable miscreants to commandeer several LGate versions which have their web server port publicly exposed.
LGate gathers performance data from solar photovoltaic (PV) systems, primarily in the North American energy sector. A PHP script used in the company's meters manages "the energy meter parameters for voltage monitoring and network configuration," according to the advisory. "The PHP code does not properly validate information that is sent in the POST request."
While no known attacks have targeted this vulnerability, the flaw could be exploited by an "attacker with a low skill," the advisory said.
Locus Energy has issued a firmware update to patch the flaw.