Bitdefender researchers exposed critical vulnerabilities in Solarman and Deye solar-management platforms that could let attackers control inverters and disrupt the power grid. The flaws were disclosed and patched, underscoring the security risks in solar IoT ecosystems and the need for robust safeguards for grid security. #Solarman #Deye
Keypoints
- Bitdefender identified a series of vulnerabilities in PV plant management platforms operated by Solarman and Deye.
- The Solarman platform is linked to about 195 GW of solar power across millions of installations, representing roughly 20% of global solar production.
- Exploiting these flaws could let an attacker take over inverter settings and potentially cause grid disruptions or blackouts.
- The researchers observed multiple entry points in Solarman’s API architecture and cross-platform access risks with Deye.
- Vulnerabilities include full account takeover, cross-platform token reuse, and excessive data exposure of organizations and users.
- Deye and Solarman have acknowledged the issues and issued fixes; a coordinated disclosure process was followed.
- The findings highlight the importance of cybersecurity in managing decentralized solar energy and IoT-enabled grid components.
MITRE Techniques
- [T1078] Valid Accounts – The Solarman platform’s /oauth2-s/oauth/token API endpoint lets attackers generate authorization tokens for any account. ‘The Solarman platform’s /oauth2-s/oauth/token API endpoint lets attackers generate authorization tokens for any account.’
- [T1199] Trusted Relationships – JWT tokens issued by the Deye Cloud platform are also valid on the Solarman platform, granting full access to the accounts based on their ID. ‘JWT tokens issued by the Deye Cloud platform are also valid on the Solarman platform, granting full access to the accounts based on their ID.’
- [T1213] Data from Information Repositories – The Solarman API endpoints return excessive information about organizations, including private details such as email addresses and phone numbers. ‘The Solarman API endpoints return excessive information about organizations, including private details such as email addresses and phone numbers.’
- [T1552.001] Credentials In Configuration Files/Hard-Coded Credentials – The Deye platform uses a hard-coded account with password 123456 to access device data. ‘The Deye platform uses a hard-coded account ([email protected]) with password 123456 to access device data.’
- [T1078] Valid Accounts – Authorization Token Generation – The JWT token generation issue could allow access even if the token value is malformed or not properly validated. ‘The JWT token that is generated contains a wrong value and is not accepted by the server, even though the token is valid and signed.’
Indicators of Compromise
- [Endpoint] /oauth2-s/oauth/token – Used to generate authorization tokens for accounts (Solarman). Templates show token generation weakness.
- [Endpoint] /oauth-s/oauth/ – Token-related endpoint on Deye platform (cross-platform token behavior).
- [Endpoint] /user-s/acc/orgs – Returns extensive private information about users/organizations (information leakage).
- [Domain] solarmanpv.com – Solarman’s platform ecosystem and related corporate site referenced in disclosures.
- [URL] https://www.solarmanpv.com/corporate/about-us/ – Evidence of platform ecosystem and partnerships mentioned in context of the vulnerability discussion.