Sungrow Logo

【Security Advisory】XSS Vulnerability in Sungrow iSolarCloud(SGSA-202512-122202)

Publish Date: 20251226

Product: iSolarCloud

Advisory ID: SGSA-202512-122202

Severity: Medium

Date: 2025-12-26

Description

XSS Vulnerability in Sungrow iSolarCloud.The avatar display in the Background Management Web UI is vulnerable to XSS.Adversaries are able to execute arbitrary JavaScript Code with the permission of a victim. XSS Attacks are often used to steal credentials or login tokens of other users.

Affected Versions

Vulnerable: · The iSolarCloud commonService vulnerability, which was remediated on December 18, 2025, had exposed the system to security risks before its mitigation.

Not Affected: The iSolarCloud commonService vulnerability, which was remediated on December 18, 2025, has posed no risk to the system since its resolution.

Vulnerability Rating

SGSA-202512-122202:CVSS:6.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

The scoring is based on the CVSS 3.1 standard. The scoring criteria can be referenced at

https://www.first.org/cvss/calculator/3.1

Mitigation and Remediation

Recommended Action: The iSolarCloud has been upgraded and repaired on December 18, 2025,  without customer action.

Patch Release: N/A.

Temporary Fix: N/A.

Acknowledgments

This vulnerability was discovered and reported by Swiss National Test Institute for Cybersecurity NTC.

Contact Information

For security issues regarding Sungrow products and solutions, please report to Sungrow psirt@sungrowpower.com

Revision History

Version

Date

Description

V1.0

2025-12-26

Initial release

Statement

All software updates, patches, and documentation provided by Sungrow Power Supply Co., Ltd. are the proprietary work of Sungrow. These materials may only be used for product maintenance and security improvements. Any unauthorized modification, distribution, decompilation, or reverse engineering is strictly prohibited.

Sungrow makes no express or implied warranties regarding the information provided, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement. Sungrow shall not be liable for any direct, indirect, incidental, or consequential damages arising from the use of this document or associated software.

Sungrow reserves the right to update or modify this document at any time without prior notice. Customers are responsible for implementing security updates in a timely manner to protect their systems.