Apart from disrupting a power grid, the disclosed vulnerabilities can also be exploited in scenarios that impact user privacy, hijacking smart devices in the house that may be controlled through the vendor's cloud platform, or even ransomware attacks by holding the devices hostage until a ransom is paid. Dozens of vulnerabilities in products from three leading makers of solar inverters, Sungrow, Growatt, and SMA, could be exploited to control devices or execute code remotely on the vendor’s cloud platform. Security researchers at Vedere Labs, the cybersecurity research arm of network security company Forescout, found 46 vulnerabilities in solar inverters from Sungrow, Growatt, and SMA - three of the top six manufacturers in the world. The attacker can exploit one of the stack overflow vulnerabilities CVE-2024-50694, CVE-2024-50695, or CVE-2024-50698 (all of them critical) by publishing crafted messages that lead to remote code execution on communication dongles connected to the inverter. The potential impact of some of the vulnerabilities is significant as they could lead to unauthorized access to resources in cloud platforms, remote code execution (RCE), device takeover, information disclosure, physical damage, and denial of service. An attacker could enumerate without authentication usernames from an exposed Growatt API and then take over accounts by exploiting two IDOR (insecure direct object references) vulnerabilities, or steal credentials via JavaScript injection by leveraging two stored XSS issues. An adversary could obtain a significantly more damaging effect by controlling the hijacked devices as a botnet in a coordinated attack to reduce PV inverters' power generation during peak production hours, thus influencing the load on the grid. In a report today, Forescout describes how an attacker could use the newly disclosed vulnerabilities to hijack Growatt and Sungrow inverters. The two attack scenarios above consider only one residential and one commercial inverter but an attacker could follow the same steps to obtain serial numbers of accounts for a fleet of managed devices. The researchers say that Sungrow and SMA patched all reported vulnerabilities, the former asking for confirmation that their fix addressed the issues and showing a willingness to improve their security posture. An attacker could use it to achieve remote code execution by uploading .ASPX files that would be executed by the web server at sunnyportal.com - the company's platform for monitoring photovoltaic (PV) systems. The attacker can use the hard-coded MQTT credentials (CVE-2024-50692) to publish messages for an arbitrary inverter communication dongle by putting the correct serial number in the topic. The potential impact of the security problems has been assessed as severe because they could be used in attacks that could at least influence grid stability, and affect user privacy. In a grimmer scenario, the vulnerabilities could be exploited to disrupt or damage power grids by creating an imbalance between power generation and demand.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 27 Mar 2025 12:00:15 +0000