CVE-2024-50693 Sungrow CVE debrief

Who should care

Operators and administrators using Sungrow iSolarCloud Android App, Sungrow WiNet Firmware, and any teams responsible for solar/ICS fleet management, mobile app governance, or device identity and account data integrity.

Technical summary

The advisory describes an authorization weakness: multiple IDOR conditions in the Solar iCloud API userService model. In practical terms, API requests may allow access to data tied to other objects or accounts when object references are not properly validated. CISA’s CSAF lists impact as unauthorized access to user data and possible modification of key identifying values. The advisory identifies affected versions as iSolarCloud Android App <= 2.1.6 and WiNet Firmware versions all/*, with vendor-supplied fixes available.

Defensive priority

High. This is a network-relevant authorization flaw affecting asset and user data in an energy/ICS context, and the advisory includes a vendor fix. Prioritize patching and account/data integrity review.

Recommended defensive actions

• Upgrade Sungrow WiNet Firmware to WINET-SV200.001.00.P028 or higher.
• Update the iSolarCloud Android App to the latest version from the official device app store.
• Review access logs and account activity for unauthorized data access or unexpected changes to identifying fields.
• Validate that exposed API endpoints enforce object-level authorization and that only expected users can access associated records.
• Use Sungrow’s security notice and CISA ICS guidance to support incident response and hardening checks.

Evidence notes

All factual statements are drawn from the supplied CISA CSAF source item for ICSA-25-072-12 and its referenced official links. The advisory publication date is 2025-03-13T06:00:00Z. The source text explicitly states the IDOR condition, the affected product/version ranges, and the remediation guidance. The supplied data does not list this CVE in CISA KEV.

Official resources