SolisCloud Monitoring Platform Broken Access Control Vulnerability Allowing Insecure Direct Object References
Vulnerability
A broken access control vulnerability has been identified in the SolisCloud Monitoring Platform, specifically within the Cloud API and Device Control API, affecting both API v1 and API v2. This vulnerability allows any authenticated user to access detailed data of any plant by simply altering the plant_id in the API request. The issue arises from an authorization bypass through user-controlled keys, enabling unauthorized access to sensitive information.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive data by manipulating API requests to access information that should be restricted.
Remediation
SolisCloud has not provided a response to requests for mitigation. Users are encouraged to contact SolisCloud customer support for more information. CISA recommends minimizing network exposure for control system devices, isolating them from business networks, and using secure remote access methods such as VPNs. Organizations should also follow CISA's recommended practices for industrial control systems cybersecurity.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.