New research by Forescout Research’s Vedere Labs exposed vulnerabilities in solar power systems after analyzing six major solar inverter manufacturers, including Huawei, Sungrow, Ginlong Solis, Growatt, GoodWe, and SMA Solar Technology. The SUN:DOWN research revealed that Sungrow, SMA, and Growatt have nearly 50 vulnerabilities that could disrupt the power grid and lead to blackouts. Additionally, the research identified 93 known vulnerabilities, with 80 percent classified as high or critical severity, having a CVSS score ranging from 9.8 to 10. These vulnerabilities pose significant risks, potentially enabling dangerous attacks on power grids and smart-home devices.
Forescout said that it “did not find any significant weaknesses in Huawei, Ginlong Solis, and GoodWe in the limited time we could fairly dedicate to each vendor. This does not imply that these vendors are more or less secure than the others, since for some we didn’t have access to test accounts or decided not to spend more time on the analysis.”
The SUN:DOWN research comes as renewable energy sources, including solar power systems, are rapidly becoming essential elements of power grids throughout the world, especially in the U.S. and Europe. However, cybersecurity for these systems is often an afterthought, creating a growing risk to grid security, stability, and availability.
Recognizing the emerging threat scenario, the FBI released an industry notification last July warning organizations about threats to renewable energy resources. Other recent vulnerabilities in solar management platforms, gateways, and other components have raised similar alarms.
Identifying three types of solar power systems – residential systems, which consist of six to twenty rooftop panels generating approximately five to fifteen kW for individual homes; commercial systems, slightly larger, producing around one hundred kW or more to power businesses; and industrial or utility-scale systems, featuring hundreds or thousands of ground-mounted panels in solar farms, generating at least one megawatt, typically owned by electric utilities, Forescout identified close to 1,700 solar power devices in commercial installations in its Device Cloud. Most of those devices are in the government, manufacturing, and education sectors, with an almost equal split of around 20 percent each. These sectors are followed by financial services, services, and healthcare.
Data revealed that Canada and Australia have the most observed commercial installations, followed by the U.S., Norway, and the U.K. Due to growing concerns over the dominance of foreign-made solar power components, Forescout analyzed their common countries of origin. It found that 53 percent of solar inverter manufacturers are based in China, 58 percent of storage systems, and 20 percent of the monitoring system manufacturers are in China. The second and third most common countries of origin for components are India and the U.S.
In 2024, three significant cybersecurity incidents involving solar power monitoring devices. First, attackers hijacked 800 Contec SolarView Compact devices in Japan, raising concerns about grid stability, with conflicting reports attributing the breach to either the hacktivist group HackerCN or random malware botnets. Second, Chinese threat actor Flax Typhoon exploited similar devices, using botnets to obscure their identities while targeting networks abroad. Lastly, the Just Evil hacktivist group accessed the power monitoring dashboard of 22 clients of Lithuania’s Ignitis Group, including two hospitals, by obtaining valid credentials through a Trojan on customer devices.
A recent report cataloged 50 vulnerability disclosures and four incidents related to solar power systems.
Among the vendors analyzed, only SMA is from Europe, while the rest are headquartered in China. The SUN:DOWN research found various weaknesses in different components of the systems sold by Sungrow, Growatt, and SMA with varying potential impacts. These include multiple Insecure Direct Object Reference (IDOR) issues in the APIs leading to unauthorized access to resources in cloud platforms, broken authorization, multiple Cross-Site Scripting (XSS) vulnerabilities in web applications, and unrestricted file uploads on cloud web applications, also leading to remote code execution (RCE). They also identified hard-coded credentials and improper certificate validation in a mobile application, buffer overflows in a Wi-Fi communication dongle, and unauthenticated over-the-air firmware updates leading to RCE and persistent device takeover.
“Vulnerabilities on Growatt have not been assigned CVE IDs,” the research report said. “For these vulnerabilities, we use internal identifiers starting with FSCT-2024. The new vulnerabilities can be exploited to execute arbitrary commands on devices or the vendor’s cloud, take over accounts, gain a foothold in the vendor’s infrastructure, or take control of inverter owners’ devices.”
The SUN:DOWN research noted that the new vulnerabilities, which have now been fixed by the affected vendors, could allow attackers to take full control of an entire fleet of solar power inverters via a couple of scenarios, such as obtaining account usernames, resetting passwords to hijack accounts, and using the hijacked accounts to send commands to change inverter settings.
The researchers identified that once in control of these inverters, attackers can tamper with their power output settings or switch them off and on in a coordinated manner as a botnet. The combined effect of the hijacked inverters produces a large effect on power generation in a grid. The impact of this effect depends on that grid’s emergency generation capacity and how fast that can be activated. This can be done by harvesting serial numbers via IDORs, publishing MQTT messages to the communication dongles with the collected serial numbers, and through the published messages, exploiting one of the RCEs on the dongle to change the inverter setting.
Beyond the grid disruption scenario, the vulnerabilities could also impact the privacy of millions of users, potentially violating GDPR and other regulations, due to the exploitation of IDORs to access sensitive data, such as e-mail accounts, physical addresses, and energy consumption or production data.
It can allow an attacker to hijack other smart home devices in a user’s account, some of which may be controlled by design by an inverter’s energy management system capabilities, further extending the impact of the attack scenario. It can cause a financial impact on utilities and grid operators – and ultimately consumers – even without destabilizing the grid by other creative means, such as cyber-physical ransomware or energy price manipulation.
“As the world transitions to cleaner, smarter and more modern energy grids, we must also take into account the potential for their disruption via cyberattacks and the role that each participating entity has to play to make the grid safer, from manufacturers to consumers but also asset owners and regulators,” according to the SUN:DOWN research. “The operational technology deeply integrated into the traditional grid, with legacy programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices (IEDs) and other equipment that is either not secure-by-design or, worse, is insecure-by-design, left us with power grids that can be taken over by cyberattacks.”
Unfortunately, the Forescout research shows that many of the assets used in more modern power generation solutions, such as solar inverters, communication dongles, and their cloud backends, are almost equally vulnerable. This means that utility asset owners are again left with the task of securing their deployments or facing the consequences. The difference is that these assets are now much more distributed than before, which makes them harder to defend as it may require the collaboration of consumers who are not always tech-savvy.
Forescout faced mixed responses from manufacturers approached with the findings in this report. Sungrow and SMA patched all the issues reported to them and asked us to check their fixes. Both companies published advisories about the fixed vulnerabilities. Sungrow also engaged in ‘very meaningful conversations’ about how to improve their security posture. Growatt acknowledged and fixed the issues, which should not have required changes on the inverters, but the process took much longer and was much less collaborative.
Last December, the National Institute of Standards and Technology (NIST) published guidelines for the cybersecurity of smart inverters in residential and commercial solar systems. The guidelines call upon owners and installers to change default passwords and credentials, use role-based access control, configure the recording of events in a log, update software regularly, back up system information, disable unused features, and protect communication connections.
Beyond the guidelines above, the SUN:DOWN research report called upon owners of commercial installations – where inverters, communication dongles, and other devices may be placed in the same networks as sensitive company equipment to follow these recommendations. They must include security requirements in procurement considerations and understand the security maturity level of the manufacturers providing equipment that will be deployed on the network, considering items such as response to security vulnerabilities and availability of security patches.
They must conduct a risk assessment when setting up devices. Solar power equipment may introduce risks to the network that are not fully considered. If an attacker can use the manufacturer’s cloud as an entry point, execute malicious code on an inverter, and use that as a pivot point into parts of the network, they must have a way to mitigate this risk. They must also ensure visibility into solar power systems. As these devices become part of the network, organizations must have full visibility into their status and activity, as with other connected devices. This includes knowing their presence on the network, the software they are running, the vulnerabilities they may have, and who they are communicating with.
The SUN:DOWN repost also recommended that asset owners and operators must segment these devices into their sub-networks and ensure that connected devices are added into their separate network segments to prevent cases where either these devices are used as entry points into the network or cases where an attack from another entry point can reach those devices and compromise physical infrastructure. They must also monitor those network segments and use an IoT/OT-aware, DPI-capable monitoring solution to alert on malicious indicators and behaviors targeting solar power systems, such as vulnerability exploitation, password guessing, and unauthorized use of OT protocols.
