Multiple vulnerabilities in SMA products

Posted date 26/02/2024
4 - High
Affected Resources
  • SMA Cluster Controller, 01.05.01.R version.
  • Sunny Webbox, 1.61 versions and prior.

INCIBE has coordinated the publication of 2 vulnerabilities, one of high and one medium severity, affecting SMA Cluster Controller, version 01.05.01.R, a device for monitoring and controlling SMA inverters, and Sunny Webbox, version 1.6.1 and earlier, a data logger that records and logs data from a photovoltaic installation and makes it available for consultation, which have been discovered by David Matilla Rebollo.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-1889: 8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CWE-352 
  • CVE-2024-1890: 6.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L | CWE-1021 

There is no reported solution at this time.

  • CVE-2024-1889: Cross-Site Request Forgery vulnerability in SMA Cluster Controller, affecting version 01.05.01.R. This vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with these user permissions on the affected device.
  • CVE-2024-1890: vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier.