CVE-2024-50693

SunGrow iSolarCloud, prior to its remediation on October 31, 2024, contains a vulnerability classified as CVE-2024-50693, stemming from insecure direct object references (IDOR) in the userService API model (CWE-639). This flaw has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts without requiring authentication or user interaction.

Remote, unauthenticated attackers can exploit this IDOR vulnerability over the network with low complexity to access or manipulate unauthorized user objects via manipulated API requests to the userService endpoint. Successful exploitation enables attackers to read sensitive user data or alter user information, compromising confidentiality and integrity across the affected iSolarCloud instances.

Sungrow has issued a security notice detailing the issue and remediation, available at https://en.sungrowpower.com/security-notice-detail-2/6120. Organizations should apply the October 31, 2024 patch or later to mitigate the vulnerability.