CVE-2023-46344 Solar-Log CVE debrief

Who should care

Organizations operating Solar-Log Base 15 energy monitoring and management systems, particularly in solar power installations and distributed energy resource management. Security teams responsible for OT/ICS environments, energy sector infrastructure operators, and facility managers with solar generation assets should prioritize firmware updates.

Technical summary

CVE-2023-46344 is a stored or reflected cross-site scripting vulnerability in Solar-Log Base 15 energy management systems running Firmware_6.0.1_Build_161. The vulnerability requires low privileges and user interaction, with network attack vector. Successful exploitation enables attackers to bypass access controls and gain unauthorized access to device functionality. The CVSS 3.1 score of 5.4 reflects medium severity with low confidentiality and integrity impact, no availability impact, and scope change indicating affected component can impact resources beyond its security scope. Solar-Log has released Firmware 6.2.0-170 as a vendor fix.

Defensive priority

medium

Recommended defensive actions

• Update Solar-Log Base 15 to Firmware 6.2.0-170 or later to remediate the XSS vulnerability
• Implement network segmentation to limit exposure of Solar-Log Base 15 devices to untrusted networks
• Apply principle of least privilege for user accounts accessing the Solar-Log Base 15 management interface
• Monitor for anomalous authentication or access patterns that may indicate exploitation attempts
• Review and validate input sanitization on all web-facing components of energy management systems

Evidence notes

CISA CSAF advisory ICSA-24-303-02 identifies the affected product as Solar-Log Base 15 running Firmware_6.0.1_Build_161. The advisory specifies XSS as the vulnerability type with impact including access control bypass and unauthorized access. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N yields score 5.4. Vendor fix version 6.2.0-170 is documented in remediations.

Official resources