CVE-2024-50693 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2024-50693?

CVE-2024-50693 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to bypass authorization controls in SunGrow iSolarCloud's userService API, enabling unauthorized access to other users' data and potentially administrative functions. All SunGrow iSolarCloud installations before the October 31, 2024 remediation are affected.

📋 TL;DR

This vulnerability allows attackers to bypass authorization controls in SunGrow iSolarCloud's userService API, enabling unauthorized access to other users' data and potentially administrative functions. All SunGrow iSolarCloud installations before the October 31, 2024 remediation are affected.

💻 Affected Systems

Products:

SunGrow iSolarCloud

Versions: All versions before October 31, 2024 remediation

Operating Systems: Any OS running iSolarCloud

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web API interface of iSolarCloud installations

📦 What is this software?

Isolarcloud by Sungrowpower

View all CVEs affecting Isolarcloud →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the solar monitoring system, allowing attackers to manipulate solar farm operations, steal sensitive customer data, or disrupt energy production.

🟠

Likely Case

Unauthorized access to other users' solar production data, billing information, and personal details through IDOR manipulation.

🟢

If Mitigated

Limited impact with proper API authentication and authorization controls in place, restricting access to authorized resources only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires some authentication but can bypass authorization checks to access other users' resources

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after October 31, 2024 remediation

Vendor Advisory: https://en.sungrowpower.com/security-notice-detail-2/6120

Restart Required: Yes

Instructions:

1. Contact SunGrow support for the latest patched version. 2. Backup current configuration. 3. Apply the patch provided by SunGrow. 4. Restart the iSolarCloud service. 5. Verify the fix is applied.

🔧 Temporary Workarounds

API Access Restriction

all

Restrict access to the userService API endpoints to authorized users only

Network Segmentation

all

Isolate iSolarCloud systems from untrusted networks

🧯 If You Can't Patch

Implement strict API authentication and authorization middleware
Deploy a web application firewall (WAF) with IDOR protection rules

🔍 How to Verify

Check if Vulnerable:

Test if you can access other users' data by manipulating object IDs in userService API requests

Check Version:

Check iSolarCloud admin interface for version information or contact SunGrow support

Verify Fix Applied:

Verify that object ID manipulation no longer allows access to unauthorized resources

📡 Detection & Monitoring

Log Indicators:

Unusual API access patterns
Multiple failed authorization attempts followed by successful access
Access to user IDs outside normal range

Network Indicators:

Unusual traffic to userService API endpoints
Requests with manipulated object IDs

SIEM Query:

source="iSolarCloud" AND (uri="*/userService/*" AND status=200) AND user_id NOT IN authorized_users

📊 Metadata

CVE ID: CVE-2024-50693

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-639

EPSS Score: 0.12% exploit probability (30.5th percentile)

Published: February 26, 2025

Last Updated: April 7, 2025

🔗 References

https://en.sungrowpower.com/security-notice-detail-2/6120 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50693, you might also want to check these: