CVE-2024-50691 Sungrow CVE debrief

Who should care

Operators, administrators, and end users who rely on Sungrow iSolarCloud Android App version 2.1.6 or earlier, as well as environments using Sungrow WiNet firmware. This is especially relevant for industrial and remote-monitoring use cases where mobile app traffic must be trusted.

Technical summary

The core flaw is the Android app’s failure to enforce certificate validation. Because the app ignores certificate errors, a network attacker positioned in the traffic path can present a fraudulent server and interact with the app as if it were the legitimate iSolarCloud service. The supplied CVSS vector reflects network attackability, no privileges, no user interaction, and primary confidentiality impact with limited integrity impact. The advisory scope also includes WiNet Firmware, with Sungrow directing users to update to WINET-SV200.001.00.P028 or higher and to install the latest iSolarCloud app.

Defensive priority

Medium

Recommended defensive actions

• Update the iSolarCloud Android app to the latest version from the official device app store.
• If you use Sungrow WiNet firmware, apply WINET-SV200.001.00.P028 or higher.
• Review any mobile-to-cloud or mobile-to-device workflows that depend on trusted TLS connections.
• Monitor for unexpected certificate mismatches, proxying, or other signs of adversary-in-the-middle activity on related network paths.
• Follow Sungrow’s security notice for product-specific guidance.

Evidence notes

CISA’s CSAF advisory (ICSA-25-072-12) states that the Android app for iSolarCloud explicitly ignores certificate errors and is vulnerable to adversary-in-the-middle attacks. The same advisory lists affected products as Sungrow iSolarCloud Android App <=2.1.6 and Sungrow WiNet Firmware: vers:all/*, and it recommends updating the firmware and app. The supplied enrichment marks the issue as not listed in CISA KEV.

Official resources