CVE-2024-50685

CVE-2024-50685 is an insecure direct object reference (IDOR) vulnerability, mapped to CWE-639, affecting SunGrow iSolarCloud platforms prior to the remediation released on October 31, 2024. The flaw exists in the powerStationService API model, allowing attackers to access or manipulate objects without proper authorization checks.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is exploitable over the network with low complexity by unauthenticated attackers requiring no user interaction. Successful exploitation enables high-impact confidentiality and integrity violations, such as unauthorized access to or modification of sensitive power station data and configurations.

Sungrow has addressed the issue with a remediation update released on October 31, 2024, as detailed in their security notice at https://en.sungrowpower.com/security-notice-detail-2/6118. Security practitioners should ensure iSolarCloud instances are updated to the patched version and review API access controls to mitigate IDOR risks.