Full Report
Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids. The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs. "The new vulnerabilities can be
Analysis Summary
# Vulnerability: SUN:DOWN - Critical Flaws in Solar Inverter Ecosystems (Sungrow, Growatt, SMA)
## CVE Details
- CVE ID: Multiple (Specific CVEs are not individually listed in the summary, but advisory CISA-25-072-12 and CISA-25-079-04 cover the collective issues.)
- CVSS Score: Not explicitly stated for individual flaws, but the collective impact suggests High to Critical severity, enabling RCE and grid control.
- CWE: Various (e.g., Improper Restriction of Uploaded File Upload, Hardcoded Credentials, Insecure Cryptography).
## Affected Systems
- Products: Solar Inverters and associated infrastructure from Sungrow, Growatt, and SMA.
- Versions: Specific vulnerable versions are not detailed, but the flaws reside in devices connected to vendor cloud/API infrastructure.
- Configurations: Systems utilizing standard operating procedures, especially those exposed to the internet or connected to vendor cloud services.
## Vulnerability Description
Forescout Vedere Labs discovered 46 vulnerabilities across solar inverter products from Sungrow, Growatt, and SMA, collectively named **SUN:DOWN**. These flaws allow unauthenticated and authenticated attackers to execute arbitrary code remotely on devices or vendor cloud infrastructure. Specific issues include:
* **SMA:** Remote Code Execution (RCE) via unauthorized `.aspx` file uploads to the web server (sunnyportal\[.\]com).
* **Growatt:** Unauthenticated information disclosure leading to user enumeration, device takeover, and account takeover via exposed API endpoints (e.g., `server.growatt.com`, `server-api.growatt.com`). Flaws also exist in EV charger APIs allowing configuration changes and information theft. A hypothetical attack involves resetting passwords to the default `123456`.
* **Sungrow:** Mobile applications (iSolarCloud via Android) use an insecure AES key for encryption and suffer from certificate validation bypass (Adversary-in-the-Middle, AitM). The WiNet WebUI contains a hard-coded password used to decrypt firmware updates. Multiple flaws in MQTT message handling allow for RCE or Denial of Service (DoS).
The collective exploitation could allow an attacker to control large fleets of inverters, altering energy production settings to deliberately cause instability in electrical grids (cyber-physical ransomware risk).
## Exploitation
- Status: Assumed PoC available, as researchers disclosed the findings, with potential for exploitation in the wild given the public exposure of cloud APIs.
- Complexity: Low to Medium, as some attacks (e.g., Growatt API abuse, hardcoded passwords) require minimal authentication or specialized knowledge. RCE likely requires more complexity.
- Attack Vector: Network (External/Internet-facing APIs and cloud infrastructure).
## Impact
- Confidentiality: High (Information disclosure, access to sensitive user/device data).
- Integrity: Critical (Ability to alter inverter settings, impact energy flow, execute arbitrary code).
- Availability: Critical (DoS via MQTT, potential for large-scale grid disruption leading to blackouts).
## Remediation
### Patches
- All vendors (Sungrow, Growatt, SMA) have **addressed** the identified issues following responsible disclosure. Customers should apply vendor-released patches immediately. (Refer to CISA advisories ICSA-25-072-12 and ICSA-25-079-04 for details.)
### Workarounds
- Enforce strict security requirements when procuring solar equipment.
- Conduct regular risk assessments on OT/IoT assets.
- Ensure comprehensive network visibility into all solar/inverter devices.
- Restrict network access to these devices; ensure they are segmented and only accessible to authorized personnel if applicable.
## Detection
- Indicators of Compromise: Unexpected changes in inverter operational settings, failed authentication attempts against vendor cloud APIs, unusual outbound traffic from inverters to vendor-controlled domains, or known default credentials being successfully used for authentication.
- Detection methods and tools: IDS/IPS monitoring of traffic to and from known vendor infrastructure domains for unauthorized file uploads or API abuse patterns. Security monitoring for known API endpoints being queried by unauthenticated sources.
## References
- Vendor Advisories: CISA ICSA-25-072-12, CISA ICSA-25-079-04
- Relevant links: hxxps://www.forescout.com/blog/grid-security-new-vulnerabilities-in-solar-power-systems-exposed/
- Relevant links: hxxps://www.cisa.gov/news-events/ics-advisories/icsa-25-072-12
- Relevant links: hxxps://www.cisa.gov/news-events/ics-advisories/icsa-25-079-04