Sign-up

ID

VAR-201708-1535


CVE

CVE-2017-9863


TITLE

SMA Solar Technology Sunny Explorer and inverter Cross-Site Request Forgery Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2017-28422 // CNNVD: CNNVD-201708-197

DESCRIPTION

An issue was discovered in SMA Solar Technology products. If a user simultaneously has Sunny Explorer running and visits a malicious host, cross-site request forgery can be used to change settings in the inverters (for example, issuing a POST request to change the user password). All Sunny Explorer settings available to the authenticated user are also available to the attacker. (In some cases, this also includes changing settings that the user has no access to.) This may result in complete compromise of the device. NOTE: the vendor reports that exploitation is unlikely because Sunny Explorer is used only rarely. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor has disputed this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2017-9863Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SMASolarTechnologySunnyExplorer is a photovoltaic device management software from SMA Germany. SMASolarTechnologyinverter is a photovoltaic inverter device from SMA Germany. The vulnerability could be exploited by a remote attacker to change the settings of the inverter

Trust: 2.25

sources: NVD: CVE-2017-9863 // JVNDB: JVNDB-2017-006892 // CNVD: CNVD-2017-28422 // VULHUB: VHN-118066

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-28422

AFFECTED PRODUCTS

vendor:smamodel:sunny tripower 60scope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny boy 3600scope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny tripower 20000tlscope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny tripower 5000tlscope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny tripower core1scope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny boy 5000scope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny boy 3000tlscope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny tripower 12000tlscope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny tripower 15000tlscope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny tripower 25000tlscope:eqversion: -

Trust: 1.6

vendor:smamodel:sunny central 630cp xtscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy storage 2.5scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy 3600tlscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 720scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 760scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 800scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy 4.0scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central 500cp xtscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy 3.6scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 500scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 2200scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central 2200scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy 2.5scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central 800cp xtscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 630scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy 5.0scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central 720cp xtscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central 760cp xtscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy 3.0scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central 900cp xtscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny explorerscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy 4000tlscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy 1.5scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny boy 5000tlscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 900scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 1000scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 850scope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central 1000cp xtscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central 850cp xtscope:eqversion: -

Trust: 1.0

vendor:smamodel:sunny central storage 2500-evscope:eqversion: -

Trust: 1.0

vendor:sma solarmodel:sunny boy 1.5scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 2.5scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 3.0scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 3.6scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 3000tlscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 3600scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 3600tlscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 4.0scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 4000tlscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 5.0scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 5000scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy 5000tlscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny boy storage 2.5scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central 1000cp xtscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central 2200scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central 500cpscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central 630cpscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central 720cp xtscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central 760cp xtscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central 800cp xtscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central 850cp xtscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central 900cp xtscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 1000scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 2200scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 2500-evscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 500scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 630scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 720scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 760scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 800scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 850scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny central storage 900scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny explorerscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny tripower 12000tlscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny tripower 15000tlscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny tripower 20000tlscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny tripower 25000tlscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny tripower 5000tlscope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny tripower 60scope: - version: -

Trust: 0.8

vendor:sma solarmodel:sunny tripower core1scope: - version: -

Trust: 0.8

vendor:smamodel:solar technology inverterscope: - version: -

Trust: 0.6

vendor:smamodel:solar technology sunny explorerscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2017-28422 // JVNDB: JVNDB-2017-006892 // CNNVD: CNNVD-201708-197 // NVD: CVE-2017-9863

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9863
value: HIGH

Trust: 1.0

NVD: CVE-2017-9863
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-28422
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201708-197
value: MEDIUM

Trust: 0.6

VULHUB: VHN-118066
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-9863
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-28422
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-118066
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-9863
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-28422 // VULHUB: VHN-118066 // JVNDB: JVNDB-2017-006892 // CNNVD: CNNVD-201708-197 // NVD: CVE-2017-9863

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-118066 // JVNDB: JVNDB-2017-006892 // NVD: CVE-2017-9863

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-197

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201708-197

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-006892

PATCH
title:Statement on Cyber Securityurl:https://www.sma.de/en/statement-on-cyber-security.html
Trust: 0.8
title:WHITEPAPER CYBER SECURITYurl:https://www.sma.de/fileadmin/content/global/specials/documents/cyber-security/Whitepaper-Cyber-Security-AEN1732_07.pdf
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-006892

EXTERNAL IDS
db:NVDid:CVE-2017-9863
Trust: 3.1
db:JVNDBid:JVNDB-2017-006892
Trust: 0.8
db:CNNVDid:CNNVD-201708-197
Trust: 0.7
db:CNVDid:CNVD-2017-28422
Trust: 0.6
db:VULHUBid:VHN-118066
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-28422 // 
            
            
            
            VULHUB: VHN-118066 // 
            
            
            
            JVNDB: JVNDB-2017-006892 // 
            
            
            
            CNNVD: CNNVD-201708-197 // 
            
            
            
            NVD: CVE-2017-9863

REFERENCES
url:https://horusscenario.com/cve-information/
Trust: 2.3
url:http://www.sma.de/en/statement-on-cyber-security.html
Trust: 1.1
url:http://www.sma.de/fileadmin/content/global/specials/documents/cyber-security/whitepaper-cyber-security-aen1732_07.pdf
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9863
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9863
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2017-28422 // 
            
            
            
            VULHUB: VHN-118066 // 
            
            
            
            JVNDB: JVNDB-2017-006892 // 
            
            
            
            CNNVD: CNNVD-201708-197 // 
            
            
            
            NVD: CVE-2017-9863

SOURCES
db:CNVDid:CNVD-2017-28422
db:VULHUBid:VHN-118066
db:JVNDBid:JVNDB-2017-006892
db:CNNVDid:CNNVD-201708-197
db:NVDid:CVE-2017-9863

LAST UPDATE DATE
2025-04-20T23:36:47.660000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-28422date:2017-09-27T00:00:00
db:VULHUBid:VHN-118066date:2017-08-22T00:00:00
db:JVNDBid:JVNDB-2017-006892date:2017-09-06T00:00:00
db:CNNVDid:CNNVD-201708-197date:2017-08-09T00:00:00
db:NVDid:CVE-2017-9863date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-28422date:2017-09-26T00:00:00
db:VULHUBid:VHN-118066date:2017-08-05T00:00:00
db:JVNDBid:JVNDB-2017-006892date:2017-09-06T00:00:00
db:CNNVDid:CNNVD-201708-197date:2017-08-09T00:00:00
db:NVDid:CVE-2017-9863date:2017-08-05T17:29:00.817