CVE-2024-50689
Published: 26 February 2025
Summary
CVE-2024-50689 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Sungrowpower Isolarcloud. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations on the orgService API model, directly preventing IDOR exploitation by blocking unauthorized access and manipulation of objects via manipulated references.
SI-10 validates object references in API requests to the orgService model, rejecting invalid or unauthorized direct references that enable the IDOR vulnerability.
AC-6 applies least privilege to limit access to organization objects in iSolarCloud, reducing the impact of IDOR even if initial enforcement partially fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing orgService API directly enables remote exploitation of the application (T1190) and unauthorized object modification (T1565.001).
NVD Description
SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model.
Deeper analysisAI
CVE-2024-50689 is an insecure direct object reference (IDOR) vulnerability, classified as CWE-639, affecting SunGrow iSolarCloud platforms prior to the October 31, 2024 remediation. The flaw exists in the orgService API model, enabling attackers to access or manipulate objects without proper authorization checks. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting its critical severity due to high impacts on confidentiality and integrity.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By manipulating object references in API requests to the orgService model, they can achieve unauthorized access to sensitive data and potentially modify it, compromising the integrity of iSolarCloud systems without affecting availability.
The vendor's security notice at https://en.sungrowpower.com/security-notice-detail-2/6116 details mitigation through the October 31, 2024 remediation. Security practitioners should verify and apply updates to affected iSolarCloud instances to address the IDOR issue.
Details
- CWE(s)