SEDG-2024-1

Advisory ID:

SEDG-2024-1

CVE(s):

CVE-2024- 28756

Issue Summary:

MySolarEdge android app before version 2.20.1 does not properly verify TLS server certificates.

CVSSv3 as reported by reporter:

Score 5.9, Medium
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSSv3 SolarEdge analysis:

Score 5.9, Medium
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Advisory publication date:

21.3.2024

Update on:

21.3.2024

________________________________________

1. Advisory Details

Impacted products and versions

- MySolarEdge android app before version 2.20.1.

- Not impacted: MySolarEdge iOS app

Description:
MySolarEdge android app before version 2.20.1 does not properly verify TLS server certificates.

Known attack vectors:
A malicious actor may be able to exploit the vulnerability by presenting invalid certificates leading to a machine-in-the-middle attack.

Resolution:
Upgrading the MySolarEdge android App to version 2.20.1 or the latest version in the play store.

Workarounds:
N/A

Additional documentation:
N/A

Acknowledgments:
SolarEdge would like to thank researcher Tobias Jäger from the firm SySS GmbH for reporting this issue.

2. References

NVD

MITRE

3. Change log

N/A

4. Contact and information

SolarEdge Cyber Security Policy

EMAIL: Product.Security@solaredge.com

What are you looking for?

What are you looking for?

SEDG-2024-1

Advisory ID:

CVE(s):

Issue Summary:

CVSSv3 as reported by reporter:

CVSSv3 SolarEdge analysis:

Advisory publication date:

Update on:

1. Advisory Details

2. References

3. Change log

4. Contact and information

How can we help you?