Solar Inverter Security: SMA, Sungrow, Growatt Flaws Exposed

A US-based cybersecurity firm has released a report detailing dozens of vulnerabilities it discovered in products from some of the world’s major solar inverter manufacturers. But there’s good news.

With so many solar inverters now internet-connected, the risks associated with a mass takeover of systems by hackers looms large as a “botnet” of inverters could do widespread damage.

California’s Forescout Technologies Inc. has provided asset intelligence and control services for more than 20 years.

“The collective impact of residential solar systems on grid reliability is too significant to ignore – hospitals could lose access to critical equipment, families could go without heat in the winter or AC in a heatwave, and businesses could shut down,” according to Forescout CEO Barry Mainz. “Threat actors increasingly target critical infrastructure, making it essential to take them seriously and secure solar inverter systems before vulnerabilities lead to real-world disruptions.”

In its analysis, the firm says it discovered 46 new vulnerabilities across Sungrow, Growatt and SMA products that would have enabled attackers to compromise inverter settings or user privacy – or even take over other smart devices in a home. The good news is all of these security flaws were first responsibly disclosed by Forescout to the vendors late last year, and have since been addressed.

SMA SunnyPortal Vulnerability

Only one new security vulnerability was found associated with the grand-daddy of solar inverter producers, SMA.

The researchers found attackers were able to upload files that could be executed by the web server at sunnyportal.com, which is SMA’s platform for online monitoring. According to SMA, SunnyPortal supports more than 900,000 registered systems globally; representing more than 40 GW of solar power system capacity in over 200 countries.

The portal web site allows visitors to access a section listing publicly available solar power system profiles  – and there are thousands. Forescout noticed during its testing that some system properties could be modified, including being able to upload imagery. But due to a lack of file extension checks on the back-end, with a bit of fiddling an attacker could upload code instead of an image and remotely execute this code through a browser request.

SMA fixed the issue on December 19, 2024 and then asked Forescout to check their work.

Sungrow Security Issues

Sungrow racked up 15 flaws. Among them, it was possible to take control of Sungrow inverters by chaining two vulnerabilities. Again, the company was cooperative.

“Sungrow especially engaged in very meaningful conversations about how to improve their security posture,” says ForeScout.

It’s great to see Sungrow has come a long way in its reaction to being informed by third-parties about security issues. Five years ago, it was a different story.

Note: Sungrow users were advised in late February they should update the iSolarCloud Android App to the latest version via the official app store.

Growatt Flaws

The remaining 30 security flaws were associated with Growatt products.

“Growatt acknowledged and fixed the issues, which should not require changes on the inverters, but the process took much longer and was much less collaborative.”

Forescout said it notified Growatt of the flaws on November 27, 2024, then contacted the firm several times for updates and to offer assistance. Some issues were eventually fixed on February 27, 2025 and the remaining on March 13.

Forescout also stated it discovered many similar Growatt vulnerabilities had been reported by another security researcher a couple of years prior, who claimed he received no response from Growatt. The company couldn’t confirm if Growatt addressed those issues or whether some of the “new” flaws discovered were the same issues that were never fixed.

Manufacturers Passing Muster – Sort Of

Limited analysis was also performed with three other manufacturers; GoodWe, Huawei and Solis. In the allotted time dedicated to each vendor, ForeScout did not find any significant weaknesses.

“This does not imply that these vendors are more or less secure than the others, since for some we didn’t have access to test accounts or decided not to spend more time on the analysis,” says the firm.

Forescout’s report, which goes into more detail about the vulnerabilities discovered and realistic power grid attack scenarios, can be viewed here. You can also pick up some solar inverter security tips here – while that article was published back in 2018, the basics still apply.

Original Source: https://www.solarquotes.com.au/blog/sma-sungrow-growatt-security-mb3148/