PatchSiren cyber security CVE debrief
CVE-2024-50684 Sungrow CVE debrief
CVE-2024-50684 is a medium-severity weakness in Sungrow’s iSolarCloud Android app and related WiNet firmware advisory. CISA states the Android app used an insecure AES key with insufficient entropy to encrypt client data, which could allow decryption of intercepted communications between the app and iSolarCloud. Sungrow’s remediation guidance says updated WiNet firmware is available and the iSolarCloud app has been repaired in the latest store release.
- Vendor
- Sungrow
- Product
- iSolarCloud Android App
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-03-13
- Original CVE updated
- 2025-03-13
- Advisory published
- 2025-03-13
- Advisory updated
- 2025-03-13
Who should care
Organizations using Sungrow iSolarCloud Android App version 2.1.6 or earlier, and environments that deploy Sungrow WiNet firmware, should review this advisory. Security and operations teams supporting mobile-to-cloud workflows in industrial or energy management environments should confirm updates are applied.
Technical summary
The advisory describes weak cryptographic key generation in the iSolarCloud Android application: an insecure AES key with insufficient entropy. Because the key material is predictable or weak, an attacker able to intercept traffic may be able to decrypt communications between the mobile app and iSolarCloud. CISA’s CSAF lists affected products as Sungrow iSolarCloud Android App <=2.1.6 and Sungrow WiNet Firmware: all versions. The provided CVSS v3.1 vector is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N, scoring 6.5 (Medium).
Defensive priority
Medium
Recommended defensive actions
- Update Sungrow WiNet firmware to WINET-SV200.001.00.P028 or higher, as directed in the advisory.
- Update the iSolarCloud Android app to the latest version from the device app store.
- Verify asset inventories for Sungrow iSolarCloud Android App version 2.1.6 or earlier and any deployed WiNet firmware.
- Review mobile-to-cloud communications for expected TLS/transport protections and confirm no reliance on weak client-side encryption for sensitive data.
- Monitor Sungrow’s security notice page and CISA advisory for any follow-up guidance or clarifications.
Evidence notes
This debrief is based on the CISA CSAF advisory published on 2025-03-13 and the linked official CVE record. The advisory text states that the iSolarCloud Android mobile application uses an insecure AES key with insufficient entropy, which may allow attackers to decrypt intercepted communications between the mobile app and iSolarCloud. The CSAF also lists affected products as Sungrow iSolarCloud Android App <=2.1.6 and Sungrow WiNet Firmware: vers:all/*. Remediation guidance in the advisory directs users to apply WINET-SV200.001.00.P028 or higher and update the iSolarCloud Android App to the latest version via the device app store.
Official resources
-
CVE-2024-50684 CVE record
CVE.org
-
CVE-2024-50684 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and the initial CSAF revision on 2025-03-13T06:00:00.000Z; that date is used here as the vulnerability publication context. No KEV listing is indicated in the supplied data.