Strix
26.1K

CVE-2024-50692

MEDIUMCVSS 5.4/10EPSS 0.24%

Last modified

CVE-2024-50692 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. SunGrow WiNet-SV200.001.00.P027 and earlier versions contains hardcoded MQTT credentials that allow an attacker to send arbitrary commands to an arbitrary inverter. It is also possible to impersonate the broker, because TLS is not used to identify the real MQTT broker. EPSS estimates a 0.24% chance of exploitation in the next 30 days.

Description

SunGrow WiNet-SV200.001.00.P027 and earlier versions contains hardcoded MQTT credentials that allow an attacker to send arbitrary commands to an arbitrary inverter. It is also possible to impersonate the broker, because TLS is not used to identify the real MQTT broker. This means that MQTT communications are vulnerable to MitM attacks at the TCP/IP level.

Metrics

CVSS 3.1
5.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.24%

14.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SungrowpowerWinet-S Firmware200.001.00.p027
SungrowpowerWinet-S Firmware< 200.001.00.p027

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-50692?
SunGrow WiNet-SV200.001.00.P027 and earlier versions contains hardcoded MQTT credentials that allow an attacker to send arbitrary commands to an arbitrary inverter. It is also possible to impersonate the broker, because TLS is not used to identify the real MQTT broker. This means that MQTT communications are vulnerable to MitM attacks at the TCP/IP level.
How severe is CVE-2024-50692?
CVE-2024-50692 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.24% probability of exploitation in the next 30 days.
How do I fix CVE-2024-50692?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-50692?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST