Hardcoded Credentials in SunGrow iSolarCloud Android Application
CVE-2024-50688

9.8CRITICAL

Key Information:

Vendor: SunGrow Power
Status: iSolarCloud Android Application
Vendor: CVE Published:; 26 February 2025

🔔 Create SunGrow Power Vulnerability Alert

What is CVE-2024-50688?

The SunGrow iSolarCloud Android application version 2.1.6.20241017 and earlier contains hardcoded MQTT credentials, which are used for the exchange of device telemetry regardless of the user account. This vulnerability exposes all users of the application to potential unauthorized access, as the same credentials can be exploited to communicate with the cloud service. The use of hardcoded credentials undermines application security, making it critical for users to update to the latest version to ensure their data integrity and privacy.

References

https://en.sungrowpower.com/security-notice-detail-2/6122

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 26, 2025
Vulnerability Reserved
Oct 28, 2024

JSON