SMA: Sunny Portal demo system privilege escalation

VDE-2025-010

Last update

05/14/2025 15:00

Published at

05/13/2025 13:00

Vendor(s)

SMA Solar Technology AG

External ID

VDE-2025-010

CSAF Document

Download

Summary

A security researcher discovered a privilege escalation vulnerability in the demo system area of the SMA Classic Portal, www.sunnyportal.com.
Only systems of other users have been affected who unintendedly and illicitly had added their non-demo systems to the demo system area.

Impact

An unauthenticated attacker could get access to systems within the demo-system area. Limited to the demo-systems provided there the attacker could change parameters and configuration data. No indicators of compromise have been identified.

Affected Product(s)

Model no.	Product name	Affected versions
	www.sunnyportal.com <20.02.2025	www.sunnyportal.com <20.02.2025

Vulnerabilities

Expand / Collapse all

Published

09/22/2025 14:58

Severity

8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Weakness

Incorrect Resource Transfer Between Spheres (CWE-669)

Summary

An unauthenticated remote attacker could use a demo account of the portal to hijack devices that were created in that account by mistake.

References

cve.org | nvd.nist.gov

Remediation

No action required. The vulnerability was closed in the portal backend on Feb 20th, 2025. A workaround mitigating the impact was implemented on Jan 20th, 2025 immediately after reporting of the issue.

Revision History

Version	Date	Summary
1	05/13/2025 13:00	Initial revision.
2	05/14/2025 15:00	Fix: added distribution

SMA: Sunny Portal demo system privilege escalation

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2025-41645 8.6

Remediation

Revision History