CVE-2024-8893

High

Published: 14 February 2025

Published

14 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0015 34.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Use of Hard-coded Credentials vulnerability in GoodWe Technologies Co., Ltd. GW1500‑XS allows anyone in physical proximity to the device to fully access the web interface of the inverter via Wi‑Fi.This issue affects GW1500‑XS: 1.1.2.1.

Security Summary

CVE-2024-8893 is a Use of Hard-coded Credentials vulnerability (CWE-798) in the GW1500-XS inverter from GoodWe Technologies Co., Ltd. The issue affects firmware version 1.1.2.1 and enables unauthorized full access to the device's web interface via Wi-Fi. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity with network accessibility and low complexity.

An attacker within physical proximity to the device, such as Wi-Fi range, can exploit this vulnerability with no privileges or user interaction required. Exploitation allows full access to the web interface, potentially compromising low levels of confidentiality, integrity, and availability of the inverter.

Mitigation details are available in the advisory published at https://os-s.net/publications/advisories/CVE-2024-8893.pdf.

Details

CWE(s): CWE-798

References

https://os-s.net/publications/advisories/CVE-2024-8893.pdf
a6d3dc9e-0591-4a13-bce7-0f5b31ff6158