CVE-2024-50687 – SunGrow iSolarCloud versions before October 31,... (How to Fix)

📋 TL;DR

SunGrow iSolarCloud versions before October 31, 2024 contain an insecure direct object reference (IDOR) vulnerability in the devService API model. This allows attackers to access or manipulate data belonging to other users without proper authorization. All users of affected iSolarCloud systems are impacted.

💻 Affected Systems

Products:

SunGrow iSolarCloud

Versions: All versions before October 31, 2024 remediation

Operating Systems: Not OS-specific - cloud/web application

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web/cloud interface of iSolarCloud systems

📦 What is this software?

Isolarcloud by Sungrowpower

View all CVEs affecting Isolarcloud →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all user data, including sensitive solar system configurations, energy production data, and potentially access to control systems.

🟠

Likely Case

Unauthorized access to other users' solar system data, energy production information, and configuration details.

🟢

If Mitigated

Limited impact with proper API authentication and authorization controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

IDOR vulnerabilities typically require some level of access but are easy to exploit once discovered

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after October 31, 2024 remediation

Vendor Advisory: https://en.sungrowpower.com/security-notice-detail-2/6114

Restart Required: No

Instructions:

1. Access iSolarCloud admin interface
2. Check for and apply any available updates
3. Verify version is post-October 31, 2024 remediation
4. Test API endpoints for proper authorization

🔧 Temporary Workarounds

API Access Restriction

all

Temporarily restrict access to devService API endpoints

Configure web application firewall to block /devService/* endpoints

Enhanced Monitoring

all

Implement detailed logging and monitoring for API access patterns

Enable verbose API logging in iSolarCloud configuration

🧯 If You Can't Patch

Implement strict API authentication and authorization checks at the application layer
Deploy web application firewall with IDOR-specific rules and anomaly detection

🔍 How to Verify

Check if Vulnerable:

Test devService API endpoints with different user IDs to check if unauthorized access is possible

Check Version:

Check iSolarCloud admin interface for version information or last update date

Verify Fix Applied:

Verify that API endpoints properly validate user authorization and return appropriate access denied responses

📡 Detection & Monitoring

Log Indicators:

Multiple user IDs accessed from single session
Unauthorized API calls to devService endpoints
Access denied errors for legitimate users

Network Indicators:

Unusual API call patterns to /devService/* endpoints
Rapid sequential requests with different parameters

SIEM Query:

source="iSolarCloud" AND (uri_path="/devService/*" AND (response_code=403 OR user_id_changes>1))

📊 Metadata

CVE ID: CVE-2024-50687

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-639

EPSS Score: 0.12% exploit probability (30.5th percentile)

Published: February 26, 2025

Last Updated: April 7, 2025

🔗 References

https://en.sungrowpower.com/security-notice-detail-2/6114 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50687, you might also want to check these: