SUN:DOWN Vulnerabilities Expose Critical Risks in Solar Inverters from Sungrow, Growatt, and SMA

46 Security Flaws Discovered in Solar Inverters Pose Threats to Power Grids

Cybersecurity researchers have identified 46 new security vulnerabilities across solar inverter products from Sungrow, Growatt, and SMA, which could be exploited by malicious actors to seize control of devices, execute remote code, and potentially disrupt electrical grids.

These vulnerabilities, collectively named SUN:DOWN by Forescout Vedere Labs, could allow attackers to execute arbitrary commands, compromise user accounts, infiltrate vendor infrastructures, and take over connected solar inverters.

Key Vulnerabilities Identified

Among the most severe flaws are:

• Remote Code Execution: Attackers can upload malicious .aspx files to the SMA Sunny Portal web server, allowing them to execute arbitrary code.

• User Account Takeover: Exposed Growatt APIs allow attackers to enumerate usernames, access user-owned solar plants, and hijack accounts by resetting passwords to the default "123456."

• Device Control & Information Exposure: Unauthenticated attackers can extract sensitive information on EV chargers, energy consumption, and firmware details through Growatt’s exposed API endpoints, potentially leading to device manipulation or physical damage.

• Weak Encryption & Hard-Coded Credentials: The Sungrow mobile app uses an insecure AES encryption key, making it vulnerable to adversary-in-the-middle (AitM) attacks. Additionally, Sungrow’s WiNet WebUI contains a hardcoded password, allowing unauthorized access to firmware updates.

• Remote Exploitation via MQTT: Multiple vulnerabilities in Sungrow’s MQTT message handling could allow remote code execution or denial-of-service (DoS) attacks.

Potential Large-Scale Grid Disruptions

Forescout warns that if a threat actor compromised a significant number of these inverters, they could manipulate power output to the grid, potentially causing instability or blackouts. Worse still, hijacked inverters could be linked into a botnet, amplifying attacks against energy infrastructure.

Mitigation Efforts & Security Recommendations

Following responsible disclosure, all three vendors have issued patches to address the identified security flaws. However, experts stress that organizations procuring solar equipment should enforce strict security requirements, perform regular risk assessments, and maintain full network visibility into their connected devices.

Unpatched Vulnerabilities in Industrial Surveillance Systems

In a related development, security researchers have also discovered critical flaws in production line monitoring cameras from Inaba Denki Sangyo, a Japanese electronics manufacturer. These vulnerabilities, which remain unpatched, could allow unauthenticated attackers to:

• Remotely access live video feeds for surveillance purposes.

• Prevent recording of production stoppages, disrupting the monitoring of critical industrial operations.

While the manufacturer has not yet released patches, it advises customers to restrict internet access to the affected devices and ensure they are placed in secure, restricted areas.

Broader Concerns for Industrial Cybersecurity

These discoveries follow recent reports of security weaknesses in various industrial control systems (ICS) and operational technology (OT) devices, including:

• GE Vernova N60 Network Relay

• Zettler 130.8005 Industrial Gateway

• Wago 750-8216/025-001 Programmable Logic Controller (PLC)

These flaws could be exploited to fully compromise affected devices, emphasizing the growing need for robust security in critical infrastructure systems.