SMA: Sunny Portal limited disclosure of personal data of registered users to an authenticated user

VDE-2025-050

Last update

08/19/2025 12:00

Published at

08/19/2025 12:00

Vendor(s)

SMA Solar Technology AG

External ID

VDE-2025-050

CSAF Document

Download

Summary

A security researcher discovered a data disclosure vulnerability in Sunny Portal powered by ennexOS, ennexos.sunnyportal.com.
A regularly authenticated user can receive the name of an other registered Sunny Portal user by entering the email address of this registered user.

Impact

A regularly authenticated user of Sunny Portal could receive name and surname of other registered users.

Affected Product(s)

Model no.	Product name	Affected versions
	ennexos.sunnyportal.com <15.08.2025	ennexos.sunnyportal.com <15.08.2025

Vulnerabilities

Expand / Collapse all

Published

09/22/2025 14:58

Severity

6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weakness

Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)

Summary

A low-privileged remote attacker can obtain the username of another registered Sunny Portal user by entering that user's email address.

References

cve.org | nvd.nist.gov

Remediation

No action required. The vulnerability was closed in the Sunny Portal powered by ennexOS on August, 15th 2025.

Revision History

Version	Date	Summary
1	08/19/2025 12:00	Initial revision.

SMA: Sunny Portal limited disclosure of personal data of registered users to an authenticated user

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2025-41685 6.5

Remediation

Revision History