CVE-2024-50688

CVE-2024-50688 is a critical vulnerability in the SunGrow iSolarCloud Android application, affecting version V2.1.6.20241017 and prior releases. It stems from hardcoded credentials (CWE-798), where the application—regardless of the user account—and the associated cloud service share the same MQTT credentials for exchanging device telemetry data. This flaw earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severe potential impact.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. By leveraging the static MQTT credentials, adversaries can intercept, manipulate, or spoof device telemetry communications between the app, cloud, and solar devices, potentially achieving high levels of confidentiality compromise (e.g., data exfiltration), integrity violations (e.g., falsified telemetry), and availability disruption (e.g., denial of telemetry exchange).

Sungrow has published a security notice at https://en.sungrowpower.com/security-notice-detail-2/6122 detailing the issue. Security practitioners should consult this advisory for vendor-recommended mitigations, such as updating to a patched application version.