Solar grids could be hijacked and even potentially disabled by these security flaws

Experts claim solar inverter vulnerabilities could lead to damage to the power grid
Devices could be taken over and switched off, increasing grid load
46 vulnerabilities discovered, with some potentially exposing user information

Solar inverters could be hijacked by cybercriminals to disrupt power supplies and damage the electrical grid.

46 vulnerabilities were found by Forescout [PDF] in solar inverters produced by Sungrow, Growatt, and SMA.

Many of the vulnerabilities could lead to remote code execution (RCE), denial of service, device takeover, as well as access to cloud platforms and sensitive information.

Power grid hijacking

For SMA devices, only a single vulnerability was found, CVE-2025-0731, that allows an attacker to use a demo account to upload a .aspx (Active Server Page Extended) file instead of a photovoltaic (PV) system picture, with the file then being executed by the sunnyportal.com web server.

As for Sungrow solar inverters, insecure direct object reference (IDOR) vulnerabilities tracked as CVE-2024-50685, CVE-2024-50686, and CVE-2024-50693 could allow an attacker to harvest communication dongle serial numbers.

CVE-2024-50692 allows an attacker to use hard-coded MQTT credentials to send arbitrary commands to an arbitrary inverter dongle, or commit man-in-the-middle (MitM) attacks against MQTT communications.

The attacker can also use one of several critical stack overflow vulnerabilities (CVE-2024-50694, CVE-2024-50695, CVE-2024-50698) to remotely execute code on server connected dongles. Using this flow of vulnerabilities, an attacker could potentially reduce power generation during peak times to increase the load on the grid.

Growatt inverters can be hijacked via the cloud backend by listing usernames from an exposed Growatt API, and then use these usernames for account-takeover through two IDOR vulnerabilities.

All of the disclosed vulnerabilities have since been patched by the manufacturers.

https://cdn.mos.cms.futurecdn.net/7N4ZtNATBytQgNsTt95woQ-1200-80.jpg

Source link
benedict.collins@futurenet.com (Benedict Collins)

The paradox of AI: problem vs. opportunity in web innovation

Roborock F25 Ace review: effortless for a floor washer, from setup to self-clean

I love my Meta Quest 2, but AU$50 off the Meta Quest 3S is the perfect VR gaming deal for a beginner

Samsung Bespoke AI Jet Ultra review: an excellent cleaner, let down by unnecessary AI features

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Which Celebrity Styles Americans Copy Most in 2025: New Study

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

Why you should invest in India now: The new investment friendliness index is a game changer

Jyske Bank progresses with share buyback program

Jyske Bank completes week 13 of share buyback program

Thames Water advances equity raise process

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Solar grids could be hijacked and even potentially disabled by these security flaws

Why you should invest in India now: The new investment friendliness index is a game changer

The paradox of AI: problem vs. opportunity in web innovation

Jyske Bank progresses with share buyback program

Jyske Bank completes week 13 of share buyback program

Leave a reply Cancel reply