Cyber Posture

CVE-2024-50685

Critical

Published: 26 February 2025

Published
26 February 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0017 38.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50685 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Sungrowpower Isolarcloud. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to information and resources, directly preventing IDOR by requiring proper checks on powerStationService API object references.

SI-10 Information Input Validation good match
prevent

Validates information inputs such as object references in API requests to ensure they are legitimate and authorized, mitigating unauthorized access and manipulation in the powerStationService API.

SI-2 Flaw Remediation good match
preventrecover

Requires timely identification, reporting, and correction of flaws like this IDOR vulnerability, directly addressed by Sungrow's October 31, 2024 remediation update.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

IDOR in public-facing powerStationService API directly enables unauthenticated remote exploitation for unauthorized data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SunGrow iSolarCloud before the October 31, 2024 remediation, is vulnerable to insecure direct object references (IDOR) via the powerStationService API model.

Deeper analysisAI

CVE-2024-50685 is an insecure direct object reference (IDOR) vulnerability, mapped to CWE-639, affecting SunGrow iSolarCloud platforms prior to the remediation released on October 31, 2024. The flaw exists in the powerStationService API model, allowing attackers to access or manipulate objects without proper authorization checks.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is exploitable over the network with low complexity by unauthenticated attackers requiring no user interaction. Successful exploitation enables high-impact confidentiality and integrity violations, such as unauthorized access to or modification of sensitive power station data and configurations.

Sungrow has addressed the issue with a remediation update released on October 31, 2024, as detailed in their security notice at https://en.sungrowpower.com/security-notice-detail-2/6118. Security practitioners should ensure iSolarCloud instances are updated to the patched version and review API access controls to mitigate IDOR risks.

Details

CWE(s)
CWE-639

Affected Products

sungrowpower
isolarcloud
≤ 2024-10-31

CVEs Like This One

CVE-2024-50693Same product: Sungrowpower Isolarcloud
CVE-2024-50686Same product: Sungrowpower Isolarcloud
CVE-2024-50687Same product: Sungrowpower Isolarcloud
CVE-2024-50689Same product: Sungrowpower Isolarcloud
CVE-2024-50688Same product: Sungrowpower Isolarcloud
CVE-2024-50691Same product: Sungrowpower Isolarcloud
CVE-2024-50694Same vendor: Sungrowpower
CVE-2024-50698Same vendor: Sungrowpower
CVE-2024-50695Same vendor: Sungrowpower
CVE-2025-40805Shared CWE-639

References