CVE-2024-50691

High

Published: 26 February 2025

Published

26 February 2025

Modified

07 April 2025

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0013 32.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

SunGrow iSolarCloud Android app V2.1.6.20241104 and prior suffers from Missing SSL Certificate Validation. The app explicitly ignores certificate errors and is vulnerable to MiTM attacks. Attackers can impersonate the iSolarCloud server and communicate with the Android app.

Security Summary

CVE-2024-50691 is a missing SSL certificate validation vulnerability (CWE-295) affecting the SunGrow iSolarCloud Android app in versions V2.1.6.20241104 and prior. The app explicitly ignores certificate errors during SSL/TLS connections, enabling man-in-the-middle (MiTM) attacks. It has a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high impact on confidentiality and integrity.

Remote network attackers can exploit this vulnerability by positioning themselves between the app and the iSolarCloud server, impersonating the legitimate server without requiring privileges or user interaction. Successful exploitation allows attackers to intercept, decrypt, read, modify, or inject data in communications, potentially exposing sensitive information or enabling further malicious actions within the app's context.

Sungrow has published a security notice with details on this issue at https://en.sungrowpower.com/security-notice-detail-2/6124. Security practitioners should consult this advisory for recommended mitigations or patches.

Details

CWE(s): CWE-295

Affected Products

sungrowpower

isolarcloud

≤ 2.1.6.20241115

References

https://en.sungrowpower.com/security-notice-detail-2/6124
Vendor Advisory · cve@mitre.org