CVE-2024-50698

Critical

Published: 24 January 2025

Published

24 January 2025

Modified

29 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0096 76.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50698 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Sungrowpower Winet-S Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the root cause of insufficient bounds checks on MQTT message content by enforcing validation of input length and format.

SI-16 Memory Protection good match

prevent

Implements memory safeguards like address space randomization and non-executable heaps to prevent exploitation of heap-based buffer overflows.

SI-2 Flaw Remediation good match

preventrecover

Ensures timely patching of the specific firmware flaw in SunGrow WiNet-SV200 versions up to 001.00.P027 as advised by the vendor.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated heap buffer overflow in network-exposed firmware (MQTT) directly enables arbitrary code execution via public-facing application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SunGrow WiNet-SV200.001.00.P027 and earlier versions is vulnerable to heap-based buffer overflow due to bounds checks of the MQTT message content.

Deeper analysisAI

CVE-2024-50698 is a heap-based buffer overflow vulnerability affecting SunGrow WiNet-SV200 firmware versions 001.00.P027 and earlier. The flaw stems from insufficient bounds checks on MQTT message content, as classified under CWE-122: Heap-based Buffer Overflow. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low complexity. Exploitation could grant high-level impacts on confidentiality, integrity, and availability, such as arbitrary code execution, device takeover, or denial of service on the affected WiNet-SV200 component.

The vendor has published a security notice with mitigation guidance at https://en.sungrowpower.com/security-notice-detail-2/5961. Security practitioners should consult this advisory for patching instructions and workarounds applicable to vulnerable SunGrow deployments.

Details

CWE(s): CWE-122

Affected Products

sungrowpower

winet-s firmware

≤ 200.001.00.p027

CVEs Like This One

CVE-2024-50695Same product: Sungrowpower Winet-S

CVE-2024-50694Same product: Sungrowpower Winet-S

CVE-2024-50696Same product: Sungrowpower Winet-S

CVE-2024-50697Same product: Sungrowpower Winet-S

CVE-2024-50693Same vendor: Sungrowpower

CVE-2024-50685Same vendor: Sungrowpower

CVE-2024-50686Same vendor: Sungrowpower

CVE-2025-53766Shared CWE-122

CVE-2025-48005Shared CWE-122

CVE-2026-2005Shared CWE-122

References

https://en.sungrowpower.com/security-notice-detail-2/5961
Vendor Advisory · cve@mitre.org