PT-2025-8744 · Sungrow · Sungrow Isolarcloud

Published

2025-02-26

Updated

2025-03-08

CVE-2024-50688

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SunGrow iSolarCloud Android application versions V2.1.6.20241017 and prior

Description The issue concerns hardcoded credentials in the SunGrow iSolarCloud Android application. Specifically, the application and the cloud use the same MQTT credentials for exchanging device telemetry, regardless of the user account.

Recommendations For versions V2.1.6.20241017 and prior, consider restricting access to the MQTT credentials until a patch is available. As a temporary workaround, avoid using the hardcoded credentials in the affected application.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2024-50688

Affected Products

Sungrow Isolarcloud

PT-2025-8744 · Sungrow · Sungrow Isolarcloud

CVE-2024-50688

Weakness Enumeration

Related Identifiers

Affected Products

References · 6