Sungrow Logo

Sungrow iSolarCloud Android APP – Hardcoded MQTT Credentials Vulnerability 

Publish Date 2025-03-27

The iSolarCloud Android application and cloud services use hardcoded MQTT credentials for exchanging device telemetry. This vulnerability could allow an attacker to intercept and manipulate communication between Sungrow devices and the iSolarCloud platform, potentially leading to unauthorized data access or control over device telemetry.

Affected Versions

We Vulnerable:  All versions V2.1.6.20241017 and prior
Not Affected:  V2.1.6.20241104 and later

Vulnerability Rating

CVE-2024-50688:  5.3(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
The scoring is based on the CVSS 3.1 standard. The scoring criteria can be referenced at(https://www.first.org/cvss/calculator/3.1

Mitigation and Remediation

Recommended Action: Customers should update the iSolarCloud Android App to the latest version via the official app store.
Patch Release: Available now.
Temporary Fix: Restrict external network access to MQTT brokers until the upgrade is applied.

Exploitation Status

No known exploitation in the wild.

Acknowledgments

This vulnerability was discovered and reported by Forescout Technologies.

Statement

All software updates, patches, and documentation provided by Sungrow Power Supply Co., Ltd. are the proprietary work of Sungrow. These materials may only be used for product maintenance and security improvements. Any unauthorized modification, distribution, decompilation, or reverse engineering is strictly prohibited.
 
Sungrow makes no express or implied warranties regarding the information provided, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement. Sungrow shall not be liable for any direct, indirect, incidental, or consequential damages arising from the use of this document or associated software.
 
Sungrow reserves the right to update or modify this document at any time without prior notice. Customers are responsible for implementing security updates in a timely manner to protect their systems.