PatchSiren cyber security CVE debrief
CVE-2024-50685 Sungrow CVE debrief
CVE-2024-50685 covers an insecure direct object reference (IDOR) issue in Sungrow’s iSolarCloud API, specifically through the powerStationService model. According to CISA’s advisory published on 2025-03-13, the issue can allow unauthorized access to user data and may also permit modification of key identifying data values. The advisory lists Sungrow iSolarCloud Android App versions up to 2.1.6 and Sungrow WiNet Firmware as affected.
- Vendor
- Sungrow
- Product
- iSolarCloud Android App
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-03-13
- Original CVE updated
- 2025-03-13
- Advisory published
- 2025-03-13
- Advisory updated
- 2025-03-13
Who should care
Operators and administrators using Sungrow iSolarCloud Android App or Sungrow WiNet Firmware, especially in environments where solar/energy management data integrity and user account data are important. Security teams responsible for mobile apps, device firmware, and API access control should prioritize review.
Technical summary
CISA describes multiple IDOR weaknesses in the iSolarCloud API’s powerStationService API model. The advisory indicates an attacker could access data they should not be authorized to view and potentially alter certain identifying values. The CVSS vector provided is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, which aligns with a network-reachable issue requiring no privileges or user interaction, with low confidentiality and integrity impact and no availability impact.
Defensive priority
Medium priority. The issue is network-reachable and does not require privileges or user interaction, but the published impact is limited to low confidentiality and integrity. Remediation is straightforward and should be applied promptly in exposed or widely used deployments.
Recommended defensive actions
- Update Sungrow WiNet Firmware to WINET-SV200.001.00.P028 or higher.
- Update the iSolarCloud Android App to the latest version from the device app store.
- Verify that affected iSolarCloud deployments are not relying on access control assumptions that could be bypassed through object identifiers.
- Review logs and API usage for unexpected access patterns involving powerStationService resources.
- Follow Sungrow’s security notice for vendor-specific guidance and confirmation of fixed versions.
Evidence notes
All material facts in this debrief come from the CISA CSAF advisory for ICSA-25-072-12 and the embedded remediation guidance. The advisory states the affected products are Sungrow iSolarCloud Android App: <=2.1.6 and Sungrow WiNet Firmware: vers:all/*, and that updated firmware is available at WINET-SV200.001.00.P028 or higher. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The issue description in the source explicitly identifies multiple IDORs via the powerStationService API model.
Official resources
-
CVE-2024-50685 CVE record
CVE.org
-
CVE-2024-50685 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2025-03-13 via ICS advisory ICSA-25-072-12; the CVE and source advisory share the same published and modified date in the supplied corpus.