VDE-2025-050 | CERT@VDE

2025-08-19 10:00 (CEST) VDE-2025-050

SMA: Sunny Portal limited disclosure of personal data of registered users to an authenticated user

Share: Email | Twitter

ID

VDE-2025-050

Published

2025-08-19 10:00 (CEST)

Last update

2025-08-18 10:52 (CEST)

Vendor(s)

SMA Solar Technology AG

Product(s)

Article No°	Product Name	Affected Version(s)
	ennexos.sunnyportal.com	< 15.08.2025

Summary

A security researcher discovered a data disclosure vulnerability in Sunny Portal powered by ennexOS, ennexos.sunnyportal.com. A regularly authenticated user can receive the name of an other registered Sunny Portal user by entering the email address of this registered user.

CVE ID

CVE-2025-41685

Last Update:

Aug. 19, 2025, 10:10 a.m.

Severity

6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Weakness

Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)

Summary

A low-privileged remote attacker can obtain the username of another registered Sunny Portal user by entering that user's email address.

Details

certvde.com

Impact

A regularly authenticated user of Sunny Portal could receive name and surname of other registered users.

Solution

Remediation

No action required. The vulnerability was closed in the Sunny Portal powered by ennexOS on August, 15th 2025.

Reported by

CERT@VDE coordinated with SMA

SMA thanks Jannik Zimmer for Reporting