Researchers Uncover 46 Critical Flaws in Solar Inverters From Sungrow, Growatt, and SMA

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids.

The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs.

“The new vulnerabilities can be exploited to execute arbitrary commands on devices or the vendor’s cloud, take over accounts, gain a foothold in the vendor’s infrastructure, or take control of inverter owners’ devices,” the company said in a report shared with The Hacker News.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Some of the notable flaws identified are listed below –

• Attackers can upload .aspx files that will be executed by the web server of SMA (sunnyportal[.]com), resulting in remote code execution
• Unauthenticated attackers can perform username enumeration via the exposed “server.growatt.com/userCenter.do” endpoint
• Unauthenticated attackers can obtain the list of plants belonging to other users as well as arbitrary devices via the “server-api.growatt.com/newTwoEicAPI.do” endpoint, resulting in device takeover
• Unauthenticated attackers can obtain the serial number of a smart meter using a valid username via the “server-api.growatt.com/newPlantAPI.do” endpoint, resulting in account takeover
• Unauthenticated attackers can obtain information about EV chargers, energy consumption information, and other sensitive data via the “evcharge.growatt.com/ocpp” endpoint, as well as remotely configure EV chargers and obtain information related to firmware, resulting in information disclosure and physical damage
• The Android application associated with Sungrow uses an insecure AES key to encrypt client data, opening the door to a scenario where an attacker can intercept and decrypt communications between the mobile app and iSolarCloud
• The Android application associated with Sungrow explicitly ignores certificate errors and is vulnerable to adversary-in-the-middle (AitM) attacks
• Sungrow’s WiNet WebUI contains a hard-coded password that can be used to decrypt all firmware updates
• Multiple vulnerabilities in Sungrow when handling MQTT messages that could result in remote code execution or a denial-of-service (DoS) condition

“An attacker that gained control of a large fleet of Sungrow, Growatt, and SMA inverters using the newly discovered vulnerabilities could control enough power to cause instability to these power grids and other major ones,” Forescout said.

In a hypothetical attack scenario targeting Growatt inverters, a threat actor could guess the real account usernames through an exposed API, hijack the accounts by resetting their passwords to the default “123456,” and perform follow-on exploitation.

To make matters worse, the hijacked fleet of inverters could then be controlled as a botnet to amplify the attack and inflict damage on the grid, leading to grid disruption and potential blackouts. All the vendors have since addressed the identified issues following responsible disclosure.

“As attackers can control entire fleets of devices with an impact on energy production, they can alter their settings to send more or less energy to the grid at certain times,” Forescout said, adding the newly discovered flaws risk exposing the grid to cyber-physical ransomware attacks.

Daniel dos Santos, Head of Research at Forescout Vedere Labs, said mitigating the risks requires enforcing strict security requirements when procuring solar equipment, conducting regular risk assessments, and ensuring full network visibility into these devices.

The disclosure comes as serious security flaws have been discovered in production line monitoring cameras made by Japanese company Inaba Denki Sangyo that could be exploited for remote surveillance and prevent recording production stoppages.

The vulnerabilities remain unpatched, but the vendor has urged customers to restrict internet access and limit ensure that such devices are installed in a secure, restricted area that’s accessible only to authorized personnel.

“These flaws enable various attacks, allowing an unauthenticated attacker to remotely and secretly access live footage for surveillance, or disrupt the recording of production line stoppages preventing the capture of critical moments,” Nozomi Networks said.

In recent months, the operational technology (OT) security company has also detailed multiple security defects in the GE Vernova N60 Network Relay, Zettler 130.8005 industrial gateway, and Wago 750-8216/025-001 programmable logic controller (PLC) that could be weaponized by an attacker to take full control of the devices.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.