CVE-2024-50691

High

Published: 26 February 2025

Published

26 February 2025

Modified

07 April 2025

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0013 32.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50691 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Sungrowpower Isolarcloud. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-17 (Public Key Infrastructure Certificates).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

SC-8 mandates protection of transmission confidentiality and integrity using TLS, directly requiring proper SSL certificate validation to prevent MiTM attacks.

SC-17 Public Key Infrastructure Certificates good match

prevent

SC-17 requires management and validation of PKI certificates, directly addressing the app's explicit ignoring of certificate errors that enable server impersonation.

SC-13 Cryptographic Protection good match

prevent

SC-13 enforces cryptographic mechanisms to protect information in transit, mitigating MiTM by ensuring robust TLS implementations including certificate checks.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

Missing certificate validation directly enables adversary-in-the-middle attacks by allowing interception/modification of TLS traffic.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SunGrow iSolarCloud Android app V2.1.6.20241104 and prior suffers from Missing SSL Certificate Validation. The app explicitly ignores certificate errors and is vulnerable to MiTM attacks. Attackers can impersonate the iSolarCloud server and communicate with the Android app.

Deeper analysisAI

CVE-2024-50691 is a missing SSL certificate validation vulnerability (CWE-295) affecting the SunGrow iSolarCloud Android app in versions V2.1.6.20241104 and prior. The app explicitly ignores certificate errors during SSL/TLS connections, enabling man-in-the-middle (MiTM) attacks. It has a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high impact on confidentiality and integrity.

Remote network attackers can exploit this vulnerability by positioning themselves between the app and the iSolarCloud server, impersonating the legitimate server without requiring privileges or user interaction. Successful exploitation allows attackers to intercept, decrypt, read, modify, or inject data in communications, potentially exposing sensitive information or enabling further malicious actions within the app's context.

Sungrow has published a security notice with details on this issue at https://en.sungrowpower.com/security-notice-detail-2/6124. Security practitioners should consult this advisory for recommended mitigations or patches.