SB2025031445 - Multiple vulnerabilities in Sungrow iSolarCloud Android App

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Use of hard-coded credentials (CVE-ID: CVE-2024-50688)

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to the iSolarCloud Android application and the cloud use hard-coded MQTT credentials for exchanging the device telemetry. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.

2) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2024-50684)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of insecure AES key to encrypt client data. A remote attacker can decrypt intercepted communications between the mobile app and iSolarCloud.

Remediation

Install update from vendor's website.

References

• https://www.cisa.gov/news-events/ics-advisories/icsa-25-072-12
• https://en.sungrowpower.com/security-notice-detail-2/6122
• https://en.sungrowpower.com/security-notice-detail-2/6126