SMA Sunny Portal

MonitorCVSS 6.5ICS-CERT ICSA-25-079-04Mar 20, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SMA Sunny Portal contains a file upload vulnerability (CWE-434) that allows an attacker to upload and remotely execute code. The vulnerability was patched on December 19, 2024.

What this means

What could happen

An attacker could upload malicious code to Sunny Portal and execute it remotely, potentially compromising the portal's functionality and any downstream systems or data it controls.

Who's at risk

Solar power plant operators and energy managers who use SMA Sunny Portal for remote monitoring and management of photovoltaic systems. This includes municipal utilities with solar installations, solar farm operators, and any organization relying on Sunny Portal for PV system monitoring and data collection.

How it could be exploited

An attacker sends a specially crafted request to upload a malicious file to Sunny Portal. If the upload validation is bypassed, the attacker can then trigger code execution on the portal server. The portal sits between monitoring systems and plant operations data, so compromise could lead to monitoring blindness or data manipulation.

Prerequisites

Network access to Sunny Portal (typically web-based, reachable over HTTPS on port 443)
No authentication credentials required

remotely exploitableno authentication requiredlow complexityaffects monitoring and data integrity systems

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (1)

ProductAffected VersionsFix Status

Sunny Portal: <December_19_2024<December 19 2024December 19, 2024 build+

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to Sunny Portal: only allow connections from authorized monitoring workstations and engineering networks; block direct internet access

HARDENINGDeploy Sunny Portal behind a firewall with strict ingress rules; do not expose the portal directly to the internet

WORKAROUNDIf internet access to Sunny Portal is required, enforce access only through a VPN; do not allow direct portal access from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SMA Sunny Portal to the December 19, 2024 build or later

CVEs (1)

CVE-2025-0731

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/44ac2785-3b2c-470a-bd57-ca13320d6339

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.