Cyber Resilience

CVE-2024-50694

Critical

Published: 24 January 2025

Published
24 January 2025
Modified
29 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0068 72.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50694 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Sungrowpower Winet-S Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-50694 is a stack-based buffer overflow vulnerability (CWE-121) affecting SunGrow WiNet-SV200 software in versions 001.00.P027 and earlier. The issue arises when the software copies a timestamp extracted from an MQTT message into a fixed-size buffer without performing bounds checks, potentially allowing arbitrary data to overflow the stack.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By sending a specially crafted MQTT message containing an oversized timestamp, an attacker could overwrite stack memory, potentially leading to remote code execution, denial of service, or unauthorized access to confidential data and system integrity.

SunGrow has published a security notice detailing the vulnerability at https://en.sungrowpower.com/security-notice-detail-2/5961, which serves as the primary reference for affected users seeking mitigation guidance or patches.

EU & UK References

Vulnerability details

In SunGrow WiNet-SV200.001.00.P027 and earlier versions, when copying the timestamp read from an MQTT message, the underlying code does not check the bounds of the buffer that is used to store the message. This may lead to a stack-based buffer…

more

overflow.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of a network-exposed MQTT service via buffer overflow leading to RCE without auth.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-50695Same product: Sungrowpower Winet-S
CVE-2024-50698Same product: Sungrowpower Winet-S
CVE-2024-50696Same product: Sungrowpower Winet-S
CVE-2024-50697Same product: Sungrowpower Winet-S
CVE-2024-50685Same vendor: Sungrowpower
CVE-2024-50693Same vendor: Sungrowpower
CVE-2024-50686Same vendor: Sungrowpower
CVE-2025-11779Shared CWE-121
CVE-2026-25823Shared CWE-121
CVE-2025-69766Shared CWE-121

Affected Assets

sungrowpower
winet-s firmware
≤ 200.001.00.p027

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of information inputs such as the MQTT timestamp to enforce bounds checking and prevent stack-based buffer overflows.

prevent

SI-16 provides memory protections like stack canaries or DEP that mitigate exploitation of stack buffer overflows by preventing arbitrary code execution.

prevent

SI-2 ensures timely identification, reporting, and patching of flaws like this buffer overflow vulnerability in the SunGrow WiNet-SV200 software.

References