CVE-2024-50690 Sungrow CVE debrief

Who should care

Sungrow iSolarCloud users, Sungrow WiNet firmware operators, solar/OT administrators, and anyone responsible for managing Sungrow-connected equipment or mobile app deployments.

Technical summary

According to the CISA CSAF advisory, the WiNet WebUI uses a hard-coded password that can decrypt firmware updates. That design weakness affects Sungrow iSolarCloud Android App <=2.1.6 and Sungrow WiNet Firmware: vers:all/* in the advisory product tree. Sungrow’s remediation guidance says updated WiNet firmware is available at WINET-SV200.001.00.P028 or higher, and the iSolarCloud Android App has been repaired and requires no further user action once updated through the device app store.

Defensive priority

Medium. The issue is network-relevant and impacts firmware update confidentiality/handling, but the supplied corpus does not indicate KEV listing or known active exploitation. Prioritize upgrading affected WiNet firmware and verifying app versions.

Recommended defensive actions

• Update Sungrow WiNet Firmware to WINET-SV200.001.00.P028 or higher.
• Update the iSolarCloud Android App to the latest version from the official device app store.
• Review Sungrow’s security notice for product-specific guidance and deployment notes.
• Confirm whether any devices are still running affected WiNet firmware or iSolarCloud versions <=2.1.6.
• Apply standard ICS hardening and defense-in-depth practices for update channels and management interfaces.

Evidence notes

This debrief is based only on the supplied CISA CSAF advisory and the linked official references. The source advisory states: a hard-coded password in WiNet WebUI can decrypt all firmware updates; affected products are Sungrow iSolarCloud Android App <=2.1.6 and Sungrow WiNet Firmware: vers:all/*; Sungrow has issued updated firmware and indicates the iSolarCloud app has been repaired. No KEV entry is present in the supplied enrichment data.

Official resources