Sungrow reports multiple flaws in iSolarCloud and WiNet Firmware, two critical
Take action: If you are using iSolarCloud Android App and systems with Sungrow WiNet Firmware, time to update. For the devices make sure they are isolated from the internet and accessible only from trusted networks. Then apply the relevant patches - don't ignore this because the number of critical flaws is huge. You will be hacked.
Learn More
Sungrow is reporting multiple security vulnerabilities affecting their iSolarCloud Android App and WiNet Firmware products.
Vulnerabilities summary:
- CVE-2024-50694 (CVSS score 9.5): Stack-Based Buffer Overflow - When copying time stamps from MQTT messages, the code lacks buffer bounds checking.
- CVE-2024-50697 (CVSS score 9.5): Stack-Based Buffer Overflow - Insufficient bounds checks when decrypting MQTT messages and parsing TLV fields.
- CVE-2024-50695 (CVSS score 9.5): Stack-Based Buffer Overflow - Missing MQTT topic bounds checks when parsing messages.
- CVE-2024-50698 (CVSS score 9.5): Heap-Based Buffer Overflow - Lack of bounds checks for MQTT message content.
- CVE-2024-50696 (CVSS score 9.5): Download Without Integrity Check - The products lack proper integrity verification during updates, allowing installation of malicious firmware.
- CVE-2024-50692 (CVSS score 9.5): Hard-Coded Credentials - The WiNet module firmware contains hard-coded MQTT credentials.
- CVE-2024-50693 (CVSS score 9.2): Authorization Bypass - The userService API model contains multiple IDOR vulnerabilities.
- CVE-2024-50689 (CVSS score 9.2): Authorization Bypass - The orgService API model has multiple IDOR vulnerabilities.
- CVE-2024-50691 (CVSS score 8.3): Improper Certificate Validation - The Android app explicitly ignores certificate errors, making it vulnerable to adversary-in-the-middle attacks.
- CVE-2024-50684 (CVSS score 8.3): Use of Broken Cryptographic Algorithm - The iSolarCloud Android app uses an insecure AES key with insufficient entropy for encrypting client data.
- CVE-2024-50685 (CVSS score 6.9): Authorization Bypass - The powerStationService API model has multiple insecure direct object references (IDOR) vulnerabilities.
- CVE-2024-50686 (CVSS score 6.9): Authorization Bypass - The commonService API model contains multiple IDOR vulnerabilities.
- CVE-2024-50687 (CVSS score 6.9): Authorization Bypass - The devService API model has multiple IDOR vulnerabilities.
- CVE-2024-50688 (CVSS score 6.9): Hard-Coded Credentials - The Android application and cloud use hard-coded MQTT credentials for device telemetry exchange.
- CVE-2024-50690 (CVSS score 6.9): Hard-Coded Password - The WiNet WebUI contains a hard-coded password that can decrypt all firmware updates.
The following Sungrow software products are affected:
- iSolarCloud Android App: Version 2.1.6 and prior
- WiNet Firmware: All versions
Sungrow has released updated versions of affected firmware. Users are encouraged to apply version WINET-SV200.001.00.P028 or higher. Users should also update their iSolarCloud Android App to the latest version via their device's app store. The iSolarCloud cloud service has been repaired and requires no further user action.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
