CVE-2017-9863

Name of the Vulnerable Software and Affected Versions SMA Solar Technology products, specifically Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30

Description An issue in SMA Solar Technology products allows for cross-site request forgery, enabling an attacker to change settings in the inverters, including the user password, by issuing a POST request to a vulnerable endpoint, such as '/api/v1/settings', when a user has Sunny Explorer running and visits a malicious host. This could result in the compromise of the device, with the attacker gaining access to all Sunny Explorer settings available to the authenticated user, and potentially even settings that the user does not have access to. The vendor notes that exploitation is unlikely due to the rare usage of Sunny Explorer.

Recommendations For Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30, consider disabling Sunny Explorer until a patch is available to prevent potential cross-site request forgery attacks. Restrict access to the inverters' settings to minimize the risk of exploitation. Avoid using Sunny Explorer while visiting untrusted websites to reduce the likelihood of an attack. At the moment, there is no information about a newer version that contains a fix for this vulnerability.