Cross-Site Request Forgery in SMA Solar Technology Sunny Explorer
CVE-2017-9863

8.8HIGH

Key Information:

Vendor

Sma

Status
Sunny Boy 3600 Firmware
Vendor
CVE Published:
5 August 2017

What is CVE-2017-9863?

An identified issue in SMA Solar Technology's products allows for cross-site request forgery (CSRF) when users run the Sunny Explorer application while visiting a malicious host. This vulnerability may enable attackers to issue unauthorized commands, such as modifying user passwords or altering other settings to which the user has access. In certain circumstances, this could even extend to settings beyond the user’s permissions, leading to a potential full compromise of the affected devices. It's important to note that the impact is limited due to the low usage frequency of Sunny Explorer, and primarily affects specific inverter models.

References

http://www.sma.de/en/statement-on-cyber-security.html
x_refsource_MISC
https://horusscenario.com/CVE-information/
x_refsource_MISC
http://www.sma.de/fileadmin/content/global/specials/docum...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.