VDE-2025-012
Last update
22.05.2025 15:03
Published at
26.02.2025 12:00
Vendor(s)
SMA Solar Technology AG
External ID
VDE-2025-012
CSAF Document
Summary
A security researcher discovered a critical Remote Code Execution vulnerability in sunnyportal.com.
An attacker could upload code instead of an image and remotely execute this code.
Impact
An unauthenticated attacker could upload code instead of an image in the demo section of the portal and can remotely execute this code.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| www.sunnyportal.com <19.12.2024 | www.sunnyportal.com <19.12.2024 |
Vulnerabilities
Expand / Collapse all
Published
22.09.2025 14:58
Severity
Weakness
Unrestricted Upload of File with Dangerous Type (CWE-434)
Summary
An unauthenticated remote attacker can upload a '.aspx' file instead of a PV system picture through the demo account. The code can only be executed in the security context of the user.
References
Remediation
No action required. The vulnerability was closed in the portal on December, 19, 2024.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 26.02.2025 12:00 | Initial revision. |
| 2 | 28.02.2025 15:00 | Update: Changed Date in Remediation |
| 3 | 10.04.2025 15:00 | fixed document status, csaf reference URL |
| 4 | 22.05.2025 15:03 | Fix: added distribution, quotation mark |