Description
CVE-2024-50692:
The WiNet-S's module firmware contains hardcoded MQTT credentials that could potentially enable an attacker to send arbitrary commands to an arbitrary inverter.
CVE-2024-50690:
The WiNet-S update files are encrypted, however, the WiNet WebUI includes a hardcoded password that could be exploited to decrypt firmware updates.
CVE-2024-50694:
A buffer overflow vulnerability exists in WinNet-S products, which could allow attackers to perform Denial-of-Service and / or Remote Code Execution.
CVE-2024-50697:
There is a buffer overflow vulnerability in WiNet-S products. Attackers can Denial-of-Service and / or Remote Code Execution.
CVE-2024-50695:
There is a buffer overflow vulnerability in WiNet-S products. Attackers can Denial-of-Service and / or Remote Code Execution.
CVE-2024-50698:
There is a buffer overflow vulnerability in WiNet-S products. Attackers can Denial-of-Service and / or Remote Code Execution.
This problem does not occur anymore for the newer firmware versions WiNet-S WINET-SV200.001.00.P028 and higher.
Affected Firmware Versions & Proposed Solutions
Product Name | Vulnerability Number | Affected Versions | Solutions |
WiNet-S | CVE-2024-50692 | WINET-SV200.001.00.P027 and earlier versions | Upgrade to WINET-SV200.001.00.P028 or higher |
CVE-2024-50690 | WINET-SV200.001.00.P027 and earlier versions | Upgrade to WINET-SV200.001.00.P028 or higher |
CVE-2024-50694 | WINET-SV200.001.00.P027 and earlier versions | Upgrade to WINET-SV200.001.00.P028 or higher |
CVE-2024-50697 | WINET-SV200.001.00.P027 and earlier versions | Upgrade to WINET-SV200.001.00.P028 or higher |
CVE-2024-50695 | WINET-SV200.001.00.P027 and earlier versions | Upgrade to WINET-SV200.001.00.P028 or higher |
CVE-2024-50698 | WINET-SV200.001.00.P027 and earlier versions | Upgrade to WINET-SV200.001.00.P028 or higher |
Vulnerability Rating
CVE-2024-50692:8.1(AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H)
CVE-2024-50690:6.5(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N)
CVE-2024-50694:8.1(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-50697:8.1(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-50695:8.1(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-50698:8.1(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
The scoring is based on the CVSS 3.1 standard. The scoring criteria can be referenced at
(https://www.first.org/cvss/calculator/3.1)
Recommendations
We highly recommend that logging into the iSolarCloud for the available software update or contact your installer for assistance.
Statement
Any software/patch mentioned on this page is the copyrighted work of SUNGROW. Except for product repair purposes, you may not copy, modify, distribute, publish, license, transfer, sell, or attempt to extract the source code through methods such as decompilation.
This document does not promise any express, implied and statutory warranties, including but not limited to the warranties of merchantability, fitness for purpose and non-infringement. In no event shall Sungrow Power Supply Co., Ltd. or its direct or indirect subsidiaries be liable for any damages, including but not limited to direct, indirect, incidental, consequential, or special damages, or any loss of business profits or special losses. You assume all legal responsibilities arising from any use of this document. SUNGROW reserves the right to modify or update the content and information in this document at any time.