CVE-2024-50686 Sungrow CVE debrief

Who should care

Sungrow customers, solar site operators, installers, and security teams responsible for iSolarCloud Android App deployments or WiNet firmware, especially where the Solar iCloud API is used to manage users, devices, or site data.

Technical summary

The advisory describes authorization failures in the Solar iCloud API commonService API model, where direct object references are not properly protected. CISA assigns CVSS 3.1 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating a remotely reachable, low-complexity issue with confidentiality impact. The source text also states that attackers may be able to access user data and potentially alter identifying data values.

Defensive priority

Medium. The issue is remotely reachable and unauthenticated, but the published CVSS score is moderate and the provided corpus does not indicate KEV listing or known active exploitation.

Recommended defensive actions

• Update Sungrow WiNet Firmware to WINET-SV200.001.00.P028 or higher.
• Update the iSolarCloud Android App to the latest version from the device app store and verify affected versions at or below 2.1.6 are no longer in use.
• Review Sungrow's security notice for product-specific guidance and deployment checks.
• Inventory affected assets and confirm which sites, devices, or accounts depend on the Solar iCloud API.
• Monitor for unauthorized access to user data or unexpected changes to key identifying data values.
• Apply CISA ICS recommended practices and verify that API authorization checks are enforced on any related integrations.

Evidence notes

Primary evidence comes from CISA's CSAF advisory ICSA-25-072-12, published 2025-03-13, which names the affected products, describes the IDOR issue, and provides remediation guidance. The source corpus also includes the official CVE record link and Sungrow's security notice reference. No KEV entry is present in the supplied timeline.

Official resources