Sungrow WiNet-S Hardcoded MQTT Credentials Vulnerability Allowing Arbitrary Command Execution on Inverters
Vulnerability
A vulnerability exists in Sungrow WiNet-S version WINET-SV200.001.00.P027 and earlier, due to hardcoded MQTT credentials that enable attackers to send arbitrary commands to any connected inverter. Additionally, the absence of TLS for broker verification allows for impersonation of the MQTT broker, exposing communications to potential man-in-the-middle attacks at the TCP/IP level.
Impact
Exploitation of this vulnerability could lead to unauthorized command execution on connected inverters, allowing for manipulation of inverter operations. Furthermore, the lack of TLS could be exploited to intercept or alter MQTT communications between the inverter and broker.
Reproduction
The vulnerability can be reproduced by accessing the WiNet-S WebUI and using the hardcoded MQTT credentials to connect to the MQTT broker. Once connected, arbitrary commands can be sent to any inverter. The absence of TLS can be verified by inspecting the MQTT connection details, confirming that the broker is not properly authenticated.
Remediation
Users are advised to upgrade to WiNet-S version WINET-SV200.001.00.P028 or higher.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.