Cyber Posture

CVE-2024-50687

Critical

Published: 26 February 2025

Published
26 February 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0017 38.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50687 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Sungrowpower Isolarcloud. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to information and system resources, directly preventing unauthorized object access via IDOR in the devService API.

AC-24 Access Control Decisions good match
prevent

Authorizes access to specific system resources by defined personnel or roles, ensuring direct object references are validated against user permissions to mitigate IDOR exploitation.

AC-6 Least Privilege partial match
prevent

Employs least privilege to restrict access scope, limiting the confidentiality and integrity impacts of successful IDOR attacks on sensitive data.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1530 Data from Cloud Storage Collection
Adversaries may access data from cloud storage.
attack.mitre.org →
Why these techniques?

IDOR in public-facing cloud API directly enables remote exploitation of the application (T1190) and unauthorized access to cloud-hosted data repositories (T1530).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.

Deeper analysisAI

CVE-2024-50687 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting SunGrow iSolarCloud platforms prior to the remediation released on October 31, 2024. The flaw exists in the devService API model, allowing unauthorized access to objects through direct references without proper access controls.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality and integrity violations, such as reading or modifying sensitive data belonging to other users or entities via manipulated API requests.

SunGrow published a security notice detailing the issue at https://en.sungrowpower.com/security-notice-detail-2/6114, confirming the remediation deployed on October 31, 2024, as the primary mitigation for affected iSolarCloud instances.

Details

CWE(s)
CWE-639

Affected Products

sungrowpower
isolarcloud
≤ 2024-10-31

CVEs Like This One

CVE-2024-50685Same product: Sungrowpower Isolarcloud
CVE-2024-50693Same product: Sungrowpower Isolarcloud
CVE-2024-50686Same product: Sungrowpower Isolarcloud
CVE-2024-50689Same product: Sungrowpower Isolarcloud
CVE-2024-50688Same product: Sungrowpower Isolarcloud
CVE-2024-50691Same product: Sungrowpower Isolarcloud
CVE-2024-50694Same vendor: Sungrowpower
CVE-2024-50698Same vendor: Sungrowpower
CVE-2024-50695Same vendor: Sungrowpower
CVE-2024-50697Same vendor: Sungrowpower

References