OTPulse
FeedAboutContact

SolisCloud Monitoring Platform

Monitor7.7ICS-CERT ICSA-25-338-06Dec 4, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A weakness in the SolisCloud Monitoring Platform Cloud API and Device Control API (versions 1|2) allows an attacker with valid credentials to access sensitive information by manipulating API requests. The vulnerability bypasses authorization controls, exposing operational data and system configuration details. SolisCloud has not responded to CISA's mitigation requests and no patch is available.

What this means
What could happen
An attacker with valid credentials could manipulate API requests to access sensitive information from the SolisCloud Monitoring Platform, potentially exposing operational data from solar installations or connected devices under management.
Who's at risk
Solar energy system operators and utilities using SolisCloud Monitoring Platform (Cloud API or Device Control API versions 1|2) to manage inverters, battery storage, or other distributed solar assets. This includes municipalities with solar installations, commercial solar operations, and utility-scale solar farms relying on cloud-based monitoring.
How it could be exploited
An attacker with valid engineering or administrative credentials makes specially crafted requests to the SolisCloud Cloud API or Device Control API to bypass authorization checks and read sensitive information such as device configuration, operational status, or system metadata.
Prerequisites
  • Valid user credentials (engineering workstation account or administrative access)
  • Network access to SolisCloud API endpoints (typically internet-accessible cloud service)
  • Knowledge of API request structure or ability to manipulate API parameters
Requires valid credentials (authentication required)Remotely exploitable via internet-accessible APILow attack complexityVendor non-responsive to mitigation requestsNo patch availableAffects operational visibility and data confidentiality
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Monitoring Platform (Cloud API & Device Control API): 1|21|2No fix yet
Remediation & Mitigation
0/6
Do now
0/2
HARDENINGMinimize internet exposure of SolisCloud API endpoints; do not allow direct access from untrusted networks
WORKAROUNDImplement firewall rules to restrict API access to authorized IP ranges only (e.g., engineering workstations or VPN gateways)
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGDeploy API gateway or reverse proxy with request validation and logging in front of SolisCloud services
HARDENINGEnforce multi-factor authentication (MFA) on all SolisCloud user accounts
HOTFIXContact SolisCloud customer support for security updates or workarounds
Long-term hardening
0/1
HARDENINGMonitor API logs for suspicious requests or unauthorized access attempts
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c0ffb4ae-65fe-4f59-847a-7ae3f4a9a6b9
SolisCloud Monitoring Platform | CVSS 7.7 - OTPulse