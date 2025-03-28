Solar grids could be hijacked and even potentially disabled by these security flaws

News
By published

Power grids could be disrupted and damaged, experts warn

Power cables stretching out in front of the horizon
(Image credit: Image Credit: jplenio / Pixabay)
  • Experts claim solar inverter vulnerabilities could lead to damage to the power grid
  • Devices could be taken over and switched off, increasing grid load
  • 46 vulnerabilities discovered, with some potentially exposing user information

Solar inverters could be hijacked by cybercriminals to disrupt power supplies and damage the electrical grid.

46 vulnerabilities were found by Forescout [PDF] in solar inverters produced by Sungrow, Growatt, and SMA.

Many of the vulnerabilities could lead to remote code execution (RCE), denial of service, device takeover, as well as access to cloud platforms and sensitive information.

Power grid hijacking

For SMA devices, only a single vulnerability was found, CVE-2025-0731, that allows an attacker to use a demo account to upload a .aspx (Active Server Page Extended) file instead of a photovoltaic (PV) system picture, with the file then being executed by the sunnyportal.com web server.

As for Sungrow solar inverters, insecure direct object reference (IDOR) vulnerabilities tracked as CVE-2024-50685, CVE-2024-50686, and CVE-2024-50693 could allow an attacker to harvest communication dongle serial numbers.

CVE-2024-50692 allows an attacker to use hard-coded MQTT credentials to send arbitrary commands to an arbitrary inverter dongle, or commit man-in-the-middle (MitM) attacks against MQTT communications.

The attacker can also use one of several critical stack overflow vulnerabilities (CVE-2024-50694, CVE-2024-50695, CVE-2024-50698) to remotely execute code on server connected dongles. Using this flow of vulnerabilities, an attacker could potentially reduce power generation during peak times to increase the load on the grid.

Growatt inverters can be hijacked via the cloud backend by listing usernames from an exposed Growatt API, and then use these usernames for account-takeover through two IDOR vulnerabilities.

All of the disclosed vulnerabilities have since been patched by the manufacturers.

You might also like

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Latest in Security
Power cables stretching out in front of the horizon
Solar grids could be hijacked and even potentially disabled by these security flaws
Spam messages
Microsoft Stream classic domain hijacked, causing spam across SharePoint
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
Latest in News
Power cables stretching out in front of the horizon
Solar grids could be hijacked and even potentially disabled by these security flaws
Lenovo | Thinkpad T14s Gen 6 Snapdragon
Windows 11’s latest patch declares war on BIOS updates for some Lenovo laptops, blocking them as a security risk in a bizarre turn of events
Samsung Galaxy Watch Ultra
Samsung confirms Galaxy Watches aren't tracking sleep properly – here's the fix if you're affected
Tomodachi Life: Living the Dream screenshot showing a Mii smelling some fresh flowers.
Tomodachi Life: Living the Dream is a sequel to my favorite 3DS game, and I think it's already packing the charm that inZOI lacks
Spam messages
Microsoft Stream classic domain hijacked, causing spam across SharePoint
ChatGPT logo
ChatGPT 4o just got better, although I’m yet to notice a difference
More about security
Spam messages

Microsoft Stream classic domain hijacked, causing spam across SharePoint
Sam Altman and OpenAI

OpenAI is upping its bug bounty rewards as security worries rise
Spam messages

Microsoft Stream classic domain hijacked, causing spam across SharePoint
See more latest
Most Popular
Spam messages
Microsoft Stream classic domain hijacked, causing spam across SharePoint
ChatGPT logo
ChatGPT 4o just got better, although I’m yet to notice a difference
Samsung Galaxy Watch Ultra
Samsung confirms Galaxy Watches aren't tracking sleep properly – here's the fix if you're affected
Tomodachi Life: Living the Dream screenshot showing a Mii smelling some fresh flowers.
Tomodachi Life: Living the Dream is a sequel to my favorite 3DS game, and I think it's already packing the charm that inZOI lacks
Lenovo | Thinkpad T14s Gen 6 Snapdragon
Windows 11’s latest patch declares war on BIOS updates for some Lenovo laptops, blocking them as a security risk in a bizarre turn of events
Google Pixel Watch 3 side dial and button
Google Gemini reportedly spotted on Wear OS – could a rollout be close at hand?
XGIMI Portable Outdoor Screen
This cheap new outdoor projector screen looks like a smart companion for portable projectors – get 70 inches of entertainment anywhere
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con