CVE-2024-50686
Published: 26 February 2025
Summary
CVE-2024-50686 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Sungrowpower Isolarcloud. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for logical access to information and system resources, directly preventing IDOR exploitation by ensuring proper checks on user-supplied object references in the commonService API.
AC-14 limits permitted actions without identification or authentication, mitigating unauthenticated remote access and modification of sensitive objects via the IDOR in commonService API.
SI-10 validates information inputs such as object identifiers in API requests, providing a secondary check against manipulated direct object references in the vulnerable commonService model.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing web API directly enables remote unauthenticated exploitation of the application for unauthorized object access/modification.
NVD Description
SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the commonService API model.
Deeper analysisAI
CVE-2024-50686 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting SunGrow iSolarCloud prior to the October 31, 2024 remediation. The issue resides in the commonService API model, enabling improper access control to objects based on user-supplied input. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), highlighting its critical severity due to network accessibility and high impacts on confidentiality and integrity.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows unauthorized access to sensitive data (high confidentiality impact) and modification of objects (high integrity impact), potentially compromising user-specific resources in the iSolarCloud platform without disrupting availability.
The vendor's security notice advises applying the remediation released on October 31, 2024, to affected iSolarCloud deployments. Additional details are available at https://en.sungrowpower.com/security-notice-detail-2/6112.
Details
- CWE(s)