- Experts claim that the vulnerabilities of the solar investor could cause damage to the electricity grid
- The devices can be taken and off, increasing the grid load
- 46 discovered vulnerabilities, with some that can expose user information potentially.
Solar investors could be kidnapped by cybercriminals to interrupt feeding and damage the electricity.
46 vulnerabilities were found by Foresout [PDF] in solar investors produced by Sungrow, Growatt and SMA.
Many of the vulnerabilities could lead to the execution of remote code (RCE), the denial of the service, the acquisition of devices, as well as access to cloud platforms and confidential information.
Electric grid kidnapping
For SMA devices, only one vulnerability was found, CVE-2025-0731, which allows an attacker to use a demonstration account to load a .Aspx file (extended active server page) instead of an image of the photovoltaic system (PV), with the file then executed by the Sunnyportal.com web server.
As for Sungrow solar investors, the reference vulnerabilities of direct objects (IDOR) of insecure tracked such as CVE-2024-50685, CVE-2024-50686 and CVE-2024-50693 could allow an attacker to harvest the communication of the serial numbers of the communication.
CVE-2024-50692 Allows an attacker to use MQTT credentials coded to send arbitrary commands to an arbitrary investor dongle or commit MAN-IN-THE-MIDDLE (MITM) attacks against MQTT communications.
The attacker can also use one of several critical vulnerabilities of stack overflow (CVE-2024-50694, CVE-2024-50695, CVE-2024-50698) to execute the code remotely in the server connected dongles. Using this flow of vulnerabilities, an attacker could potentially reduce energy generation during peak hours to increase the load on the network.
Growatt investors can be kidnapped through the cloud backend by listing user names of an exposed Growatt API, and then use these username names for the accounts through two Idor vulnerabilities.
All revealed vulnerabilities have been paveled by manufacturers.
