Summary
A security researcher discovered a Cross Site Request Forgery (CSRF, XSRF) vulnerability in SMA Cluster Controller. The affected products are out of support (End-of-Life 2018-06-30).
Impact
The vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with the user's permissions on the affected device.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| SMA Cluster Controller | Firmware vers:all/* |
Vulnerabilities
Expand / Collapse allCross-Site Request Forgery vulnerability in SMA Cluster Controller, affecting firmware version 01.05.01.R and earlier. This vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with these user permissions on the affected device.
Mitigation
If you can not replace your Cluster Controller by a suitable up-to-date product then isolate the affected network segment by blocking all incoming network traffic. Especially never configure your network to allow a port forwarding to SMA Cluster Controller. Avoid accessing Internet resources while logged in to the Cluster Controller.
Remediation
Replace out-of-support Cluster Controller by a suitable up-to-date product. Please note technical information on the switchover to be found at www.sma-sunny.com/en/how-to-replace-o...
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 20.01.2025 12:00 | Initial revision. |
| 2 | 12.02.2025 17:48 | Fix: corrected self-reference |