VDE-2024-020 | CERT@VDE

2025-01-27 14:00 (CET) VDE-2024-020

SMA: Cluster Controller CSRF vulnerability

Share: Email | Twitter

ID

VDE-2024-020

Published

2025-01-27 14:00 (CET)

Last update

2025-01-27 09:44 (CET)

Vendor(s)

SMA Solar Technology AG

Product(s)

Article No°	Product Name	Affected Version(s)
	SMA Cluster Controller	all

Summary

A security researcher discovered a Cross Site Request Forgery (CSRF, XSRF) vulnerability in SMA Cluster Controller. The affected products are out of support (End-of-Life 2018-06-30).

CVE ID

CVE-2024-1889

Last Update:

Jan. 27, 2025, 9:13 a.m.

Severity

8.8 (CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H)

Weakness

Cross-Site Request Forgery (CSRF) (CWE-352)

Summary

Cross-Site Request Forgery vulnerability in SMA Cluster Controller, affecting version 01.05.01.R. This vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with these user permissions on the affected device.

Details

nvd.nist.gov

Impact

The vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with the user's permissions on the affected device.

Solution

Mitigation

If you can not replace your Cluster Controller by a suitable up-to-date product then isolate the affected network segment by blocking all incoming network traffic. Especially never configure your network to allow a port forwarding to SMA Cluster Controller. Avoid accessing Internet resources while logged in to the Cluster Controller.

Remediation

Replace out-of-support Cluster Controller by a suitable up-to-date product. Please note technical information on the switchover to be found at sma-sunny.com/en/how-to-replace-old-data-logger/

Reported by

SMA Solar Technology AG thanks the following parties for their efforts:

CERT@VDE for coordination (see: certvde.com )
INCIBE for reporting (see: incibe.es )