Cyber Resilience

CVE-2024-50698

Critical

Published: 24 January 2025

Published
24 January 2025
Modified
29 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0074 73.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50698 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Sungrowpower Winet-S Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-50698 is a heap-based buffer overflow vulnerability affecting SunGrow WiNet-SV200 firmware versions 001.00.P027 and earlier. The flaw stems from insufficient bounds checks on MQTT message content, as classified under CWE-122: Heap-based Buffer Overflow. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low complexity. Exploitation could grant high-level impacts on confidentiality, integrity, and availability, such as arbitrary code execution, device takeover, or denial of service on the affected WiNet-SV200 component.

The vendor has published a security notice with mitigation guidance at https://en.sungrowpower.com/security-notice-detail-2/5961. Security practitioners should consult this advisory for patching instructions and workarounds applicable to vulnerable SunGrow deployments.

EU & UK References

Vulnerability details

SunGrow WiNet-SV200.001.00.P027 and earlier versions is vulnerable to heap-based buffer overflow due to bounds checks of the MQTT message content.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated heap buffer overflow in network-exposed firmware (MQTT) directly enables arbitrary code execution via public-facing application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-50694Same product: Sungrowpower Winet-S
CVE-2024-50695Same product: Sungrowpower Winet-S
CVE-2024-50696Same product: Sungrowpower Winet-S
CVE-2024-50697Same product: Sungrowpower Winet-S
CVE-2024-50685Same vendor: Sungrowpower
CVE-2024-50693Same vendor: Sungrowpower
CVE-2024-50686Same vendor: Sungrowpower
CVE-2026-23827Shared CWE-122
CVE-2026-45584Shared CWE-122
CVE-2026-8175Shared CWE-122

Affected Assets

sungrowpower
winet-s firmware
≤ 200.001.00.p027

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause of insufficient bounds checks on MQTT message content by enforcing validation of input length and format.

prevent

Implements memory safeguards like address space randomization and non-executable heaps to prevent exploitation of heap-based buffer overflows.

preventrecover

Ensures timely patching of the specific firmware flaw in SunGrow WiNet-SV200 versions up to 001.00.P027 as advised by the vendor.

References