CVE-2024-50689 Sungrow CVE debrief

Who should care

Sungrow customers and administrators running iSolarCloud Android App <=2.1.6 or WiNet Firmware, especially teams responsible for solar/OT environments, mobile app deployment, and account/data access controls.

Technical summary

The advisory attributes the issue to multiple insecure direct object references (IDOR) in the Solar iCloud API’s orgService API model. Based on the supplied CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), the weakness is network-reachable, requires no privileges or user interaction, and can expose confidentiality at high impact with limited integrity impact. CISA lists affected products as Sungrow iSolarCloud Android App <=2.1.6 and Sungrow WiNet Firmware: all versions, and notes remediation through updated firmware plus an updated app.

Defensive priority

High. The issue is remotely reachable, needs no authentication, and can affect user data and identifying fields. Prioritize patching and access review in environments exposing Sungrow services or paired mobile management workflows.

Recommended defensive actions

• Update Sungrow WiNet Firmware to WINET-SV200.001.00.P028 or higher.
• Update the iSolarCloud Android App to the latest version from the device app store.
• Verify affected devices match the advisory scope: iSolarCloud Android App <=2.1.6 and WiNet Firmware all versions.
• Review access controls and API authorization handling for Solar iCloud/orgService integrations.
• Use Sungrow’s security notice for vendor guidance and deployment-specific instructions.

Evidence notes

All claims above are taken from the supplied CISA CSAF advisory metadata for ICSA-25-072-12 / CVE-2024-50689 and its included remediation text. The corpus states the advisory was initially published on 2025-03-13T06:00:00Z. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (score 8.2). No KEV listing or exploitation-in-the-wild indicator was supplied.

Official resources