CVE-2017-9854

Name of the Vulnerable Software and Affected Versions SMA Solar Technology products (affected versions not specified) Sunny Boy versions TLST-21 and TL-21 Sunny Tripower versions TL-10 and TL-30

Description An issue was discovered in SMA Solar Technology products where plaintext passwords can be obtained by sniffing for specific packets on the localhost as they are typed into Sunny Explorer by the user. These passwords can then be used to compromise the overall device. The vendor reports that the exploitation likelihood is low because these packets are usually sent only once during installation.

Recommendations For Sunny Boy versions TLST-21 and TL-21, consider restricting access to the device during installation to minimize the risk of exploitation. For Sunny Tripower versions TL-10 and TL-30, avoid using the device on unsecured networks until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.