Note: The below findings are the work of an anonymous third party researcher. The vulnerability described was patched in April/May of 2023.
iSolarcloud (iSC) is a monitoring system for Operators and Maintainers (O&M) of Photovoltaic (PV) systems and Energy Storage plants manufactured and/or operated by Sungrow. Services provided include: Plant connection, remote parameter configuration, wireless LAN (WLAN) configuration, fault management, alarm reporting push notifications, device monitoring and a knowledge repository. Customers can login via a web interface or mobile application to monitor and operate their systems.
iSolarCloud’s access management is organised into a hierarchical structure, with three levels of privilege:
The administrator can visit the background management system and manage information at this level or information on subordinate nodes, including creating region sub-nodes, creating accounts, and managing plants. The General user cannot visit the background management system and can only visit the foreground O&M system and iSolarCloud APP.
Every user account is also scoped to a specific region (China, Europe, Australia or Global), which customers choose during registration.
The backend management system allows for adding new and editing existing user accounts. Within the edit user dialog, customers can edit a user’s details, including email address, time zone settings, and roles. There is also a disabled radio control for the user’s level. By editing the website’s HTML code to remove the disabled attribute on this radio control an attacker can escalate a given users (or their own) privilege level to SuperAdministrator. No further plausibility checks are performed on the server side.
The SuperAdministrator privilege level allows access to all resources within the user’s region, including:
This kind of privilege escalation works for all iSC regions. A malicious attacker doesn’t need to own or access any Sungrow hardware, as new users can be registered at will. An identical flaw was also found in the add-user dialog, allowing an attacker to create SuperAdministrator-access accounts.
Details of the vulnerabilities disclosed in this document were provided to Sungrow in April/May of 2023. These issues were fixed immediately afterwards and are no longer exploitable in the described way.