【Security Advisory】Sungrow WiNet-S – Improper Firmware Integrity Check Vulnerability (CVE-2024-50696)
Publish Date: 20241230
Product: Sungrow WiNet-S
CVE ID: CVE-2024-50696
Severity: High
Date: 20241230
PV Inverter
Energy Storage System
EV Charger
Floating PV System
Wind Products
Hydrogen Equipment
Smart Energy Products
Description
Sungrow WiNet-S firmware lacks proper integrity checks during the update process. This vulnerability allows an attacker to send a specific MQTT message to install a bogus firmware file hosted on an attacker-controlled server. This could result in malicious modifications, unauthorized control, or bricking of affected devices.
Affected Versions
Vulnerable: WINET-SV200.001.00.P025 and earlier versions
Not Affected: WINET-SV200.001.00.P026 and later
Vulnerability Rating
CVE-2024-50696:8.1(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
The scoring is based on the CVSS 3.1 standard. The scoring criteria can be referenced at
Mitigation and Remediation
Recommended Action: Customers should upgrade to firmware version WINET-SV200.001.00.P026 or higher.
Patch Release: Available now.
Temporary Fix: Restrict network access to prevent unauthorized firmware installations until an upgrade is completed.
Exploitation Status
No known exploitation in the wild.
Acknowledgments
This vulnerability was discovered and reported by the company internally.
Statement
All software updates, patches, and documentation provided by Sungrow Power Supply Co., Ltd. are the proprietary work of Sungrow. These materials may only be used for product maintenance and security improvements. Any unauthorized modification, distribution, decompilation, or reverse engineering is strictly prohibited.
Sungrow makes no express or implied warranties regarding the information provided, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement. Sungrow shall not be liable for any direct, indirect, incidental, or consequential damages arising from the use of this document or associated software.
Sungrow reserves the right to update or modify this document at any time without prior notice. Customers are responsible for implementing security updates in a timely manner to protect their systems.