Dozens of Solar Inverter Flaws Could Be Exploited to Attack Power Grids
Summary:
Security researchers from Forescout’s Vedere Labs have disclosed 46 serious vulnerabilities in solar inverters produced by the world’s top three manufacturers. These flaws, which affect both the devices and their associated cloud platforms, could allow attackers to remotely take control of the inverters, execute malicious code, access sensitive user data, or even physically damage components. The implications are wide-reaching, particularly because these vulnerabilities could be exploited to manipulate the output of solar power systems, thereby potentially disrupting electrical grid stability on a large scale.
The most severe risk highlighted in the report involves the possibility of an attacker leveraging compromised inverters to create an imbalance between power generation and demand. By hijacking multiple devices, either individually or across a fleet, an attacker could coordinate a botnet-style operation, dynamically modulating inverter output in response to grid control signals. This would undermine efforts to balance electrical load and could force grid operators to respond to erratic surges or drops in power, potentially leading to brownouts, blackouts, or grid-wide instability. According to the researchers, this attack works by having the hijacked inverters operate in direct opposition to the grid’s primary control mechanisms, thereby amplifying the system’s fluctuations.
Growatt inverters were found to be particularly vulnerable, with cloud-based takeover possible without physical access. Attackers can exploit two IDOR (Insecure Direct Object Reference) vulnerabilities and two stored XSS (Cross-Site Scripting) issues to enumerate user accounts and steal credentials via JavaScript injection. With this access, adversaries can remotely operate the inverters, turning them on or off or altering their configuration parameters.
Sungrow inverters require a more complex exploitation chain. Attackers can first retrieve communication dongle serial numbers using several IDOR flaws (CVE-2024-50685, CVE-2024-50693, CVE-2024-50686) from the vendor's backend. Then, using hardcoded MQTT credentials (CVE-2024-50692), they can send arbitrary messages to specific devices. Finally, attackers can exploit multiple critical stack overflow vulnerabilities (CVE-2024-50694, CVE-2024-50695, CVE-2024-50698) to achieve remote code execution on the communication dongles linked to the inverter, thereby gaining persistent control.
Security Officer Comments:
SMA devices appear to be the least affected, with only one identified vulnerability (CVE-2025-0731). However, it still allows for remote code execution by uploading malicious. ASPX files to the company’s Sunny Portal platform, which manages PV systems. Though limited to cloud-based access, this flaw could still be used to impact a large number of connected systems. Beyond threats to the power grid, the researchers also warn that these vulnerabilities could be exploited to invade consumer privacy by gaining unauthorized access to smart devices integrated with the solar systems. There's also a ransomware threat, where attackers could lock down inverter access and demand payment in exchange for restoring control to the users.
Suggested Corrections:
All three manufacturers have since released patches. Sungrow and SMA responded promptly and collaborated with researchers to confirm their fixes addressed the reported flaws. Growatt also issued updates that were designed to be deployed without requiring modifications to the inverters themselves, reducing the burden on customers.
Link(s):
https://www.bleepingcomputer.com/ne...aws-could-be-exploited-to-attack-power-grids/
https://www.forescout.com/press-rel...y-risks-in-global-solar-power-infrastructure/
Security researchers from Forescout’s Vedere Labs have disclosed 46 serious vulnerabilities in solar inverters produced by the world’s top three manufacturers. These flaws, which affect both the devices and their associated cloud platforms, could allow attackers to remotely take control of the inverters, execute malicious code, access sensitive user data, or even physically damage components. The implications are wide-reaching, particularly because these vulnerabilities could be exploited to manipulate the output of solar power systems, thereby potentially disrupting electrical grid stability on a large scale.
The most severe risk highlighted in the report involves the possibility of an attacker leveraging compromised inverters to create an imbalance between power generation and demand. By hijacking multiple devices, either individually or across a fleet, an attacker could coordinate a botnet-style operation, dynamically modulating inverter output in response to grid control signals. This would undermine efforts to balance electrical load and could force grid operators to respond to erratic surges or drops in power, potentially leading to brownouts, blackouts, or grid-wide instability. According to the researchers, this attack works by having the hijacked inverters operate in direct opposition to the grid’s primary control mechanisms, thereby amplifying the system’s fluctuations.
Growatt inverters were found to be particularly vulnerable, with cloud-based takeover possible without physical access. Attackers can exploit two IDOR (Insecure Direct Object Reference) vulnerabilities and two stored XSS (Cross-Site Scripting) issues to enumerate user accounts and steal credentials via JavaScript injection. With this access, adversaries can remotely operate the inverters, turning them on or off or altering their configuration parameters.
Sungrow inverters require a more complex exploitation chain. Attackers can first retrieve communication dongle serial numbers using several IDOR flaws (CVE-2024-50685, CVE-2024-50693, CVE-2024-50686) from the vendor's backend. Then, using hardcoded MQTT credentials (CVE-2024-50692), they can send arbitrary messages to specific devices. Finally, attackers can exploit multiple critical stack overflow vulnerabilities (CVE-2024-50694, CVE-2024-50695, CVE-2024-50698) to achieve remote code execution on the communication dongles linked to the inverter, thereby gaining persistent control.
Security Officer Comments:
SMA devices appear to be the least affected, with only one identified vulnerability (CVE-2025-0731). However, it still allows for remote code execution by uploading malicious. ASPX files to the company’s Sunny Portal platform, which manages PV systems. Though limited to cloud-based access, this flaw could still be used to impact a large number of connected systems. Beyond threats to the power grid, the researchers also warn that these vulnerabilities could be exploited to invade consumer privacy by gaining unauthorized access to smart devices integrated with the solar systems. There's also a ransomware threat, where attackers could lock down inverter access and demand payment in exchange for restoring control to the users.
Suggested Corrections:
All three manufacturers have since released patches. Sungrow and SMA responded promptly and collaborated with researchers to confirm their fixes addressed the reported flaws. Growatt also issued updates that were designed to be deployed without requiring modifications to the inverters themselves, reducing the burden on customers.
Link(s):
https://www.bleepingcomputer.com/ne...aws-could-be-exploited-to-attack-power-grids/
https://www.forescout.com/press-rel...y-risks-in-global-solar-power-infrastructure/