CVE-2024-50696

CVE-2024-50696 affects SunGrow WiNet-S firmware versions V200.001.00.P025 and earlier, where integrity checks are missing during firmware upgrades. This vulnerability, classified under CWE-494 (Download of Code Without Integrity Check), enables an attacker to send a specific MQTT message that triggers an unauthorized firmware update to a SunGrow inverter or WiNet connectivity dongle using a bogus firmware file hosted on an attacker-controlled server. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), highlighting its high integrity impact potential over the network.

An unauthenticated attacker with network access can exploit this flaw remotely with low complexity and no user interaction required. By crafting and sending the targeted MQTT message, the attacker can force the device to download and install malicious firmware, compromising the integrity of the inverter or dongle. This could lead to persistent control, altered device behavior, or further attacks on connected systems, though confidentiality and availability impacts are none per the CVSS vector.

SunGrow has published a security notice at https://en.sungrowpower.com/security-notice-detail-2/6140 detailing the vulnerability, which security practitioners should consult for recommended mitigations, patches, or workarounds.