CVE-2024-50684 – The SunGrow iSolarCloud Android app uses a weak... (How to Fix)

Q: What is the severity of CVE-2024-50684?

CVE-2024-50684 has a CVSS score of 6.5 (MEDIUM). The SunGrow iSolarCloud Android app uses a weak AES encryption key with insufficient randomness, allowing attackers to decrypt communications between the mobile app and cloud service. This affects all users of the Android app versions 2.1.6.20241017 and earlier who transmit sensitive data through the application.

📋 TL;DR

The SunGrow iSolarCloud Android app uses a weak AES encryption key with insufficient randomness, allowing attackers to decrypt communications between the mobile app and cloud service. This affects all users of the Android app versions 2.1.6.20241017 and earlier who transmit sensitive data through the application.

💻 Affected Systems

Products:

SunGrow iSolarCloud Android mobile application

Versions: V2.1.6.20241017 and prior versions

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Android mobile app, not iOS or web versions. Vulnerability exists in default configuration.

📦 What is this software?

Isolarcloud by Sungrowpower

View all CVEs affecting Isolarcloud →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept and decrypt all communications between the app and cloud service, exposing sensitive solar system data, user credentials, and potentially gaining control over connected solar equipment.

🟠

Likely Case

Attackers on the same network can decrypt transmitted data, potentially accessing solar system performance metrics, user information, and configuration details.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to data exposure without system compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to intercept communications. No authentication needed to decrypt once traffic is captured.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after V2.1.6.20241017

Vendor Advisory: https://en.sungrowpower.com/security-notice-detail-2/6126

Restart Required: Yes

Instructions:

1. Open Google Play Store on Android device. 2. Search for 'iSolarCloud'. 3. Update to latest version. 4. Restart the application after update.

🔧 Temporary Workarounds

Disable app usage on untrusted networks

all

Prevent using the iSolarCloud app on public or untrusted Wi-Fi networks to reduce interception risk.

Use VPN for all app communications

all

Route all app traffic through a trusted VPN to encrypt communications at network layer.

🧯 If You Can't Patch

Discontinue use of vulnerable app versions and switch to web interface if available
Implement network monitoring for unusual traffic patterns from the app

🔍 How to Verify

Check if Vulnerable:

Check app version in Android Settings > Apps > iSolarCloud > App info. If version is 2.1.6.20241017 or earlier, you are vulnerable.

Check Version:

adb shell dumpsys package com.sungrow.isolarcloud | grep versionName

Verify Fix Applied:

Update app via Google Play Store and verify version is newer than 2.1.6.20241017.

📡 Detection & Monitoring

Log Indicators:

Unusual decryption errors in app logs
Multiple failed authentication attempts

Network Indicators:

Unencrypted or weakly encrypted traffic to iSolarCloud servers
Man-in-the-middle attack patterns

SIEM Query:

source="android_app" app_name="iSolarCloud" version="2.1.6.20241017" OR version<="2.1.6.20241017"

📊 Metadata

CVE ID: CVE-2024-50684

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-330

EPSS Score: 0.11% exploit probability (29.2th percentile)

Published: February 26, 2025

Last Updated: April 7, 2025

🔗 References

https://en.sungrowpower.com/security-notice-detail-2/6126 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50684, you might also want to check these: