PatchSiren cyber security CVE debrief
CVE-2025-13932 SolisCloud CVE debrief
CVE-2025-13932 is a HIGH-severity (CVSS 7.7) Broken Access Control vulnerability in the SolisCloud Monitoring Platform, specifically an Insecure Direct Object Reference (IDOR) in the Cloud API & Device Control API. Published on 2025-12-04, this vulnerability allows any authenticated user to access detailed data of any plant by manipulating the plant_id parameter in API requests. The vulnerability has a network attack vector with low attack complexity, requiring low privileges but no user interaction. The scope is changed, with high confidentiality impact but no integrity or availability impact. CISA published advisory ICSA-25-338-06 on the same date. Notably, SolisCloud has not responded to CISA's requests to collaborate on mitigation, leaving users to contact SolisCloud customer support directly for assistance. This represents a significant exposure for solar energy infrastructure operators using the SolisCloud platform, as plant-level data could include sensitive operational information, energy production statistics, and potentially device control capabilities.
- Vendor
- SolisCloud
- Product
- Monitoring Platform (Cloud API & Device Control API)
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-04
- Original CVE updated
- 2025-12-04
- Advisory published
- 2025-12-04
- Advisory updated
- 2025-12-04
Who should care
Solar energy facility operators, OT security teams, renewable energy asset managers, critical infrastructure security practitioners, and organizations utilizing SolisCloud for photovoltaic plant monitoring and device control. The vendor's lack of CISA coordination elevates risk for users dependent on timely security response.
Technical summary
The SolisCloud Monitoring Platform's Cloud API & Device Control API contains an Insecure Direct Object Reference (IDOR) vulnerability. The plant_id parameter in API requests lacks proper authorization checks, allowing any authenticated user to substitute arbitrary plant identifiers and retrieve detailed data for plants they do not own or operate. The vulnerability is classified as Broken Access Control (CWE-284) with IDOR characteristics (CWE-639). CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. The changed scope indicates the vulnerable component impacts resources beyond its security scope. No integrity or availability impacts are scored, but confidentiality impact is rated HIGH due to potential exposure of operational technology data.
Defensive priority
HIGH
Recommended defensive actions
- Contact SolisCloud customer support directly for mitigation information and patch status, as the vendor has not coordinated with CISA
- Implement network segmentation to restrict SolisCloud API access to authorized administrative hosts only
- Review and monitor API access logs for anomalous plant_id parameter values that may indicate exploitation attempts
- Apply principle of least privilege to SolisCloud API credentials, limiting authentication to necessary operational accounts
- Consider implementing an API gateway or WAF rule to validate and restrict plant_id parameter ranges to authorized values
- Monitor for unauthorized data exfiltration from plant monitoring systems
- Evaluate alternative monitoring platforms if vendor responsiveness remains inadequate for security requirements
Evidence notes
The vulnerability description and CVSS scoring are sourced from CISA CSAF advisory ICSA-25-338-06. The vendor non-response is explicitly documented in the remediation section of the source advisory.
Official resources
-
CVE-2025-13932 CVE record
CVE.org
-
CVE-2025-13932 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-25-338-06 on 2025-12-04. SolisCloud has not responded to CISA requests to work on mitigation.