PatchSiren cyber security CVE debrief
CVE-2024-50688 Sungrow CVE debrief
CISA’s 2025-03-13 advisory for CVE-2024-50688 says Sungrow’s iSolarCloud Android App (<= 2.1.6) and WiNet Firmware use hard-coded MQTT credentials when exchanging device telemetry. That creates a risk of unauthorized access to user accounts and sensitive information; the advisory also states an attacker may be able to execute arbitrary code. Sungrow’s stated remediation is to update WiNet firmware to WINET-SV200.001.00.P028 or higher and install the latest iSolarCloud app from the device app store.
- Vendor
- Sungrow
- Product
- iSolarCloud Android App
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-03-13
- Original CVE updated
- 2025-03-13
- Advisory published
- 2025-03-13
- Advisory updated
- 2025-03-13
Who should care
Sungrow customers, installers, and operators using iSolarCloud-connected solar/energy systems; IT/OT security teams responsible for remote monitoring, mobile apps, or device telemetry paths; defenders managing fleets that include Sungrow WiNet firmware or the iSolarCloud Android app.
Technical summary
The advisory identifies hard-coded MQTT credentials in the iSolarCloud Android application and the cloud telemetry exchange path. The affected products listed by CISA are Sungrow iSolarCloud Android App <= 2.1.6 and Sungrow WiNet Firmware (all versions). Because the credentials are embedded rather than unique per deployment, an attacker who obtains them could potentially access telemetry-related resources and associated data. The supplied advisory text also notes possible arbitrary code execution, though the provided CVSS vector reflects a network-exploitable confidentiality issue.
Defensive priority
Medium. Prioritize if Sungrow telemetry, remote monitoring, or mobile app access is exposed in production environments, especially where OT visibility or operational data is shared across sites.
Recommended defensive actions
- Update Sungrow WiNet firmware to WINET-SV200.001.00.P028 or higher.
- Update the iSolarCloud Android app to the latest version from the device app store.
- Inventory Sungrow deployments and confirm whether any systems run iSolarCloud Android App <= 2.1.6 or WiNet Firmware on affected versions.
- Review telemetry and MQTT access controls for unexpected or unauthorized use.
- Follow Sungrow’s security notice and CISA ICS recommended practices for segmentation, access control, and defense in depth.
Evidence notes
All substantive claims are taken from the supplied CISA CSAF advisory text and its remediation entries. The advisory states that the iSolarCloud Android application and the cloud use hard-coded MQTT credentials for exchanging device telemetry, affecting iSolarCloud Android App <= 2.1.6 and WiNet Firmware (all versions). The remediation section specifies WINET-SV200.001.00.P028 or higher for WiNet firmware and updating the iSolarCloud app via the app store. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Official resources
-
CVE-2024-50688 CVE record
CVE.org
-
CVE-2024-50688 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICS Advisory ICSA-25-072-12 on 2025-03-13 (initial publication).