CVE-2024-50689

CVE-2024-50689 is an insecure direct object reference (IDOR) vulnerability, classified as CWE-639, affecting SunGrow iSolarCloud platforms prior to the October 31, 2024 remediation. The flaw exists in the orgService API model, enabling attackers to access or manipulate objects without proper authorization checks. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting its critical severity due to high impacts on confidentiality and integrity.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By manipulating object references in API requests to the orgService model, they can achieve unauthorized access to sensitive data and potentially modify it, compromising the integrity of iSolarCloud systems without affecting availability.

The vendor's security notice at https://en.sungrowpower.com/security-notice-detail-2/6116 details mitigation through the October 31, 2024 remediation. Security practitioners should verify and apply updates to affected iSolarCloud instances to address the IDOR issue.