CVE-2024-50692

Name of the Vulnerable Software and Affected Versions SunGrow WiNet-SV200 versions 0.001.00.P027 and earlier

Description The issue concerns hardcoded MQTT credentials in the affected software, allowing an attacker to send arbitrary commands to any inverter. Additionally, the lack of TLS to identify the real MQTT broker enables impersonation, making MQTT communications vulnerable to Man-in-the-Middle (MitM) attacks at the TCP/IP level.

Recommendations For SunGrow WiNet-SV200 versions 0.001.00.P027 and earlier, consider disabling the use of hardcoded MQTT credentials until a patch is available. Restrict access to the MQTT broker to minimize the risk of exploitation. Avoid using the affected MQTT communications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.