CVE-2024-50688
Published: 26 February 2025
Summary
CVE-2024-50688 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Sungrowpower Isolarcloud. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates secure management, distribution, and protection of authenticators, directly preventing the use of hardcoded credentials in the application and cloud MQTT communications.
SI-2 requires identification, reporting, and timely remediation of software flaws like hardcoded credentials, enabling patching as recommended by the vendor.
SC-8 enforces confidentiality and integrity protections for network transmissions, mitigating interception and manipulation of MQTT device telemetry even with compromised credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded shared MQTT credentials directly enable unauthenticated remote access and manipulation of the public-facing telemetry service (T1190) via embedded application credentials (T1552.001).
NVD Description
SunGrow iSolarCloud Android application V2.1.6.20241017 and prior contains hardcoded credentials. The application (regardless of the user account) and the cloud uses the same MQTT credentials for exchanging the device telemetry.
Deeper analysisAI
CVE-2024-50688 is a critical vulnerability in the SunGrow iSolarCloud Android application, affecting version V2.1.6.20241017 and prior releases. It stems from hardcoded credentials (CWE-798), where the application—regardless of the user account—and the associated cloud service share the same MQTT credentials for exchanging device telemetry data. This flaw earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severe potential impact.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. By leveraging the static MQTT credentials, adversaries can intercept, manipulate, or spoof device telemetry communications between the app, cloud, and solar devices, potentially achieving high levels of confidentiality compromise (e.g., data exfiltration), integrity violations (e.g., falsified telemetry), and availability disruption (e.g., denial of telemetry exchange).
Sungrow has published a security notice at https://en.sungrowpower.com/security-notice-detail-2/6122 detailing the issue. Security practitioners should consult this advisory for vendor-recommended mitigations, such as updating to a patched application version.
Details
- CWE(s)