Insecure Direct Object Reference in SunGrow iSolarCloud API
CVE-2024-50686

9.1CRITICAL

Key Information:

Vendor: SunGrow
Status: iSolarCloud
Vendor: CVE Published:; 26 February 2025

What is CVE-2024-50686?

The SunGrow iSolarCloud application is susceptible to an insecure direct object reference (IDOR) vulnerability through its commonService API model. This flaw allows unauthorized users to access sensitive resources by manipulating input parameters, potentially leading to unauthorized data exposure and privilege escalation. Users are advised to update to the latest version post-remediation on October 31, 2024, to mitigate this security risk.

References

https://en.sungrowpower.com/security-notice-detail-2/6112

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2025
Vulnerability Reserved
Oct 28, 2024