CVE-2024-50695

Critical

Published: 24 January 2025

Published

24 January 2025

Modified

29 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0103 77.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SunGrow WiNet-SV200.001.00.P027 and earlier versions is vulnerable to stack-based buffer overflow when parsing MQTT messages, due to missing MQTT topic bounds checks.

Security Summary

CVE-2024-50695 is a stack-based buffer overflow vulnerability in SunGrow WiNet-SV200 versions 001.00.P027 and earlier. The issue arises when parsing MQTT messages due to missing bounds checks on MQTT topics, classified under CWE-121 (Stack-based Buffer Overflow). It received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity.

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation of the buffer overflow could result in high impacts to confidentiality, integrity, and availability, such as arbitrary code execution or system crashes on affected devices.

Sungrow has issued a security notice detailing the vulnerability at https://en.sungrowpower.com/security-notice-detail-2/5961. Practitioners should consult this advisory for mitigation guidance and patch availability.

Details

CWE(s): CWE-121

Affected Products

sungrowpower

winet-s firmware

≤ 200.001.00.p027

References

https://en.sungrowpower.com/security-notice-detail-2/5961
Vendor Advisory · cve@mitre.org