Researchers Uncover 46 Critical Flaws in Solar Inverters From Sungrow, Growatt, and SMA

Mar 28, 2025Ravie LakshmananOperational Technology / Vulnerability

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids.

The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs.

“The new vulnerabilities can be exploited to execute arbitrary commands on devices or the vendor’s cloud, take over accounts, gain a foothold in the vendor’s infrastructure, or take control of inverter owners’ devices,” the company said in a report shared with The Hacker News.

Some of the notable flaws identified are listed below –

• Attackers can upload .aspx files that will be executed by the web server of SMA (sunnyportal[.]com), resulting in remote code execution
• Unauthenticated attackers can perform username enumeration via the exposed “server.growatt.com/userCenter.do” endpoint
• Unauthenticated attackers can obtain the list of plants belonging to other users as well as arbitrary devices via the “server-api.growatt.com/newTwoEicAPI.do” endpoint, resulting in device takeover
• Unauthenticated attackers can obtain the serial number of a smart meter using a valid username via the “server-api.growatt.com/newPlantAPI.do” endpoint, resulting in account takeover
• Unauthenticated attackers can obtain information about EV chargers, energy consumption information, and other sensitive data via the “evcharge.growatt.com/ocpp” endpoint, as well as remotely configure EV chargers and obtain information related to firmware, resulting in information disclosure and physical damage
• The Android application associated with Sungrow uses an insecure AES key to encrypt client data, opening the door to a scenario where an attacker can intercept and decrypt communications between the mobile app and iSolarCloud
• The Android application associated with Sungrow explicitly ignores certificate errors and is vulnerable to adversary-in-the-middle (AitM) attacks
• Sungrow’s WiNet WebUI contains a hard-coded password that can be used to decrypt all firmware updates
• Multiple vulnerabilities in Sungrow when handling MQTT messages that could result in remote code execution or a denial-of-service (DoS) condition

“An attacker that gained control of a large fleet of Sungrow, Growatt, and SMA inverters using the newly discovered vulnerabilities could control enough power to cause instability to these power grids and other major ones,” Forescout said.

In a hypothetical attack scenario targeting Growatt inverters, a threat actor could guess the real account usernames through an exposed API, hijack the accounts by resetting their passwords to the default “123456,” and perform follow-on exploitation.

To make matters worse, the hijacked fleet of inverters could then be controlled as a botnet to amplify the attack and inflict damage on the grid, leading to grid disruption and potential blackouts. All the vendors have since addressed the identified issues following responsible disclosure.

“As attackers can control entire fleets of devices with an impact on energy production, they can alter their settings to send more or less energy to the grid at certain times,” Forescout said, adding the newly discovered flaws risk exposing the grid to cyber-physical ransomware attacks.

Daniel dos Santos, Head of Research at Forescout Vedere Labs, said mitigating the risks requires enforcing strict security requirements when procuring solar equipment, conducting regular risk assessments, and ensuring full network visibility into these devices.

The disclosure comes as serious security flaws have been discovered in production line monitoring cameras made by Japanese company Inaba Denki Sangyo that could be exploited for remote surveillance and prevent recording production stoppages.

The vulnerabilities remain unpatched, but the vendor has urged customers to restrict internet access and limit ensure that such devices are installed in a secure, restricted area that’s accessible only to authorized personnel.

“These flaws enable various attacks, allowing an unauthenticated attacker to remotely and secretly access live footage for surveillance, or disrupt the recording of production line stoppages preventing the capture of critical moments,” Nozomi Networks said.

In recent months, the operational technology (OT) security company has also detailed multiple security defects in the GE Vernova N60 Network Relay, Zettler 130.8005 industrial gateway, and Wago 750-8216/025-001 programmable logic controller (PLC) that could be weaponized by an attacker to take full control of the devices.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!