SunGrow is a global leader in solar technology, providing solar energy solutions to businesses and homes worldwide. Their iSolarCloud platform offers remote monitoring and control capabilities, allowing users to manage multiple power stations from a single interface. Unfortunately, the platform has a serious vulnerability that leaves user data at risk due to an insecure direct object reference (IDOR) vulnerability.
Description
CVE-2024-50685 is an IDOR vulnerability found in SunGrow's iSolarCloud platform prior to its October 31, 2024 remediation. This vulnerability occurs in the powerStationService API model, resulting from the inherent lack of proper access controls within the code design. This vulnerability allows malicious users to potentially access or modify other users' sensitive data by manipulating object references.
Significance
The iSolarCloud platform is responsible for handling large amounts of sensitive user data, including power station details, user profiles, and energy consumption statistics. Attackers exploiting CVE-2024-50685 can pose a significant threat to the security and privacy of users. Furthermore, the exploitation of this vulnerability may lead to unauthorized access, data breaches, or unauthorized control of power stations, which can result in substantial financial, operational, or reputation loss.
Code Snippet
The following code snippet demonstrates an example of the IDOR vulnerability in the powerStationService API model.
function getPowerStationData(userId) {
// ...
var powerStationId = request.getParameter("powerStationId");
// ...
var powerStationData = powerStationService.getPowerStationData(powerStationId, userId);
// ...
return powerStationData;
}
In this code, the powerStationId is retrieved from the HTTP request without proper validation or access control checks. Due to this, a malicious user can potentially manipulate the powerStationId parameter in the HTTP request to access other users' data.
Exploit Details
An attacker can send malicious HTTP requests, manipulating the powerStationId parameter, to bypass iSolarCloud's access controls. For example, if a user is logged into iSolarCloud with a valid session (session token authenticated), the attacker can potentially send a request such as:
GET /api/v1/powerStationService/{maliciousPowerStationId} HTTP/1.1
Host: isolarcloud.sungrow.com
Authorization: Bearer {victim_session_token}
The server will receive this request with the manipulated powerStationId and process it as if it were a legitimate request made by the victim user, consequently divulging sensitive information.
Original References
1. CVE-2024-50685: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50685
2. SunGrow iSolarCloud: https://www.sungrowpower.com/iSolarCloud/
Recommendations
To mitigate the vulnerability, SunGrow released a remediation on October 31, 2024. Users are strongly advised to update their iSolarCloud platform to the latest version to ensure their data remains secure. Developers working with iSolarCloud APIs should implement proper access control mechanisms to prevent unauthorized access to sensitive data.
Conclusion
CVE-2024-50685 is a severe IDOR vulnerability found in SunGrow's iSolarCloud platform, putting user privacy and security at risk. By updating the platform to the latest version and implementing proper access controls, users can help mitigate this risk and protect their sensitive data.
Timeline
Published on: 02/26/2025 21:15:17 UTC
Last modified on: 04/07/2025 18:51:55 UTC