OTPulse
FeedAboutContact

SMA Sunny Portal

Monitor6.5ICS-CERT ICSA-25-079-04Mar 20, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Sunny Portal versions before December 19, 2024 contain an unrestricted file upload vulnerability (CWE-434) that allows an unauthenticated remote attacker to upload and execute code on the portal server. Successful exploitation could allow an attacker to upload and remotely execute code, compromising the system's integrity and availability. SMA closed this vulnerability in the portal on December 19, 2024.

What this means
What could happen
An attacker could upload and execute malicious code on the Sunny Portal, potentially compromising the availability and integrity of the system. This could disrupt monitoring and control of solar PV systems managed through the portal.
Who's at risk
SMA Sunny Portal operators, particularly those managing distributed solar PV systems across multiple sites. This affects solar installers and utilities using Sunny Portal for remote monitoring and configuration of SMA inverters and solar arrays.
How it could be exploited
An attacker sends a crafted upload request to the Sunny Portal with a malicious file (CWE-434: unrestricted file upload). If the portal does not properly validate the file type or location, the attacker's code executes on the server, allowing remote command execution.
Prerequisites
  • Network access to the Sunny Portal without authentication required
  • Ability to reach the portal upload endpoint from the attacker's network
remotely exploitableno authentication requiredlow complexityaffects monitoring and control systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Sunny Portal: <December_19_2024<December 19 2024December 19, 2024 build or later
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGRestrict network access to Sunny Portal: ensure the system is not accessible from the internet. Place it behind a firewall and isolate it from business networks if possible.
HARDENINGIf remote access to Sunny Portal is necessary, enforce access through a VPN with strong authentication and keep the VPN client and server software updated.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the December 19, 2024 security update to Sunny Portal. The vulnerability was already closed on that date; verify your portal is running a build on or after this date.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/44ac2785-3b2c-470a-bd57-ca13320d6339