VDE-2025-012 | CERT@VDE

2025-02-26 11:00 (CET) VDE-2025-012

SMA: Sunny Portal Remote Code Execution

Share: Email | Twitter

ID

VDE-2025-012

Published

2025-02-26 11:00 (CET)

Last update

2025-02-28 09:11 (CET)

Vendor(s)

SMA Solar Technology AG

Product(s)

Article No°	Product Name	Affected Version(s)
	www.sunnyportal.com	< 19.12.2024

Summary

A security researcher discovered a critical Remote Code Execution vulnerability in sunnyportal.com. An attacker could upload code instead of an image and remotely execute this code.

Update: Changed Date in Remediation

CVE ID

CVE-2025-0731

Last Update:

24. Februar 2025 09:54

Severity

6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

Weakness

Unrestricted Upload of File with Dangerous Type (CWE-434)

Summary

An unauthenticated remote attacker can upload a .aspx file instead of a PV system picture through the demo account. The code can only be executed in the security context of the user.

Details

certvde.com

Impact

An unauthenticated attacker could upload code instead of an image in the demo section of the portal and can remotely execute this code.

Solution

Remediation

No action required. The vulnerability was closed in the portal on December, 19, 2024.

Reported by

CERT@VDE coordinated with SMA

Reported by Francesco La Spina from Forescout Technologies Inc.