SMA Solar Technology AG Sunny WebBox Hard-Coded Account Vulnerability
Low RiskICS-CERT ICSA-15-181-02AApr 2, 2015
Summary
SMA Solar Technology AG Sunny WebBox contains a hard-coded account credential vulnerability (CWE-798). The device uses a default account that cannot be changed and is accessible to any user with network access to the WebBox interface. This allows unauthorized administrative access to the device.
What this means
What could happen
An attacker with network access to the Sunny WebBox can log in using the hard-coded account and gain administrative control of the solar inverter monitoring and management functions, potentially allowing them to alter output controls, disable monitoring, or disrupt PV system operations.
Who's at risk
Solar energy system operators, specifically those managing SMA solar installations with Sunny WebBox monitoring and control devices. Affects any organization operating photovoltaic (PV) systems with this equipment, particularly critical facilities (hospitals, water treatment, municipal utilities) that depend on solar backup power or grid-tied renewable generation.
How it could be exploited
An attacker reaches the WebBox management interface via HTTP/HTTPS on the network and uses the hard-coded credential to authenticate. Once logged in, they have full administrative access to modify inverter settings, output parameters, or disable system monitoring.
Prerequisites
- Network reachability to Sunny WebBox HTTP/HTTPS interface (typically port 80 or 443)
- No user authentication required beyond the hard-coded account
remotely exploitableno authentication required (hard-coded account)low complexity attackno patch availabledefault credentials
Exploitability
Low exploit probability (EPSS 1.0%)
Affected products (1)
ProductAffected VersionsFix Status
Sunny WebBox: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDRestrict network access to the Sunny WebBox management interface using firewall rules—only permit engineering workstations and authorized monitoring systems
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor access logs to the WebBox interface for unauthorized login attempts or unusual activity
Mitigations - no patch available
0/1Sunny WebBox: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate the WebBox on a protected management VLAN, separate from general corporate or untrusted networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3a5e4f32-3bdb-4882-afd8-0de476273609