A US-based cybersecurity firm has released a report detailing dozens of vulnerabilities it discovered in products from some of the world’s major solar inverter manufacturers. But there’s good news.
With so many solar inverters now internet-connected, the risks associated with a mass takeover of systems by hackers looms large as a “botnet” of inverters could do widespread damage.
California’s Forescout Technologies Inc. has provided asset intelligence and control services for more than 20 years.
“The collective impact of residential solar systems on grid reliability is too significant to ignore – hospitals could lose access to critical equipment, families could go without heat in the winter or AC in a heatwave, and businesses could shut down,” according to Forescout CEO Barry Mainz. “Threat actors increasingly target critical infrastructure, making it essential to take them seriously and secure solar inverter systems before vulnerabilities lead to real-world disruptions.”
In its analysis, the firm says it discovered 46 new vulnerabilities across Sungrow, Growatt and SMA products that would have enabled attackers to compromise inverter settings or user privacy – or even take over other smart devices in a home. The good news is all of these security flaws were first responsibly disclosed by Forescout to the vendors late last year, and have since been addressed.
SMA SunnyPortal Vulnerability
Only one new security vulnerability was found associated with the grand-daddy of solar inverter producers, SMA.
The researchers found attackers were able to upload files that could be executed by the web server at sunnyportal.com, which is SMA’s platform for online monitoring. According to SMA, SunnyPortal supports more than 900,000 registered systems globally; representing more than 40 GW of solar power system capacity in over 200 countries.
The portal web site allows visitors to access a section listing publicly available solar power system profiles – and there are thousands. Forescout noticed during its testing that some system properties could be modified, including being able to upload imagery. But due to a lack of file extension checks on the back-end, with a bit of fiddling an attacker could upload code instead of an image and remotely execute this code through a browser request.
SMA fixed the issue on December 19, 2024 and then asked Forescout to check their work.
Sungrow Security Issues
Sungrow racked up 15 flaws. Among them, it was possible to take control of Sungrow inverters by chaining two vulnerabilities. Again, the company was cooperative.
“Sungrow especially engaged in very meaningful conversations about how to improve their security posture,” says ForeScout.
It’s great to see Sungrow has come a long way in its reaction to being informed by third-parties about security issues. Five years ago, it was a different story.
Note: Sungrow users were advised in late February they should update the iSolarCloud Android App to the latest version via the official app store.
Growatt Flaws
The remaining 30 security flaws were associated with Growatt products.
“Growatt acknowledged and fixed the issues, which should not require changes on the inverters, but the process took much longer and was much less collaborative.”
Forescout said it notified Growatt of the flaws on November 27, 2024, then contacted the firm several times for updates and to offer assistance. Some issues were eventually fixed on February 27, 2025 and the remaining on March 13.
Forescout also stated it discovered many similar Growatt vulnerabilities had been reported by another security researcher a couple of years prior, who claimed he received no response from Growatt. The company couldn’t confirm if Growatt addressed those issues or whether some of the “new” flaws discovered were the same issues that were never fixed.
Manufacturers Passing Muster – Sort Of
Limited analysis was also performed with three other manufacturers; GoodWe, Huawei and Solis. In the allotted time dedicated to each vendor, ForeScout did not find any significant weaknesses.
“This does not imply that these vendors are more or less secure than the others, since for some we didn’t have access to test accounts or decided not to spend more time on the analysis,” says the firm.
Forescout’s report, which goes into more detail about the vulnerabilities discovered and realistic power grid attack scenarios, can be viewed here. You can also pick up some solar inverter security tips here – while that article was published back in 2018, the basics still apply.
About Michael Bloch
RSS - Posts
I have a SolarEdge inverter and I am not sure how firmware updates are performed. There is nothing obvious in the MySolarEdge app.
The SolarEdge support website has some technically complex information but I couldn’t find information on whether owners need to take any action or if updates are “automatic” or need to be done by qualified installers.
If it is working fine, why keep it connected to Internet? There are other options like https://www.home-assistant.io/integrations/solaredge/
Sungrow appears to keep their cards close to their chest, so only reverse-engineered add-ons can be found. Another reason for me to take their inverter off the wall. If anyone wants 1y.o. SH10RS – let me know.
I have had a similar situation. The installer added a SolarEdge Load Controller (LC) to run the Hot Water Service( HWS) to put the HWS on a timer internal to the SolarEdge inverter. While this functionality worked, the addition of a comm’s board behind the LC had a negative impact on the pricing algorithm of energy.
SolarEdge confirmed that a remote firmware upgrade had failed on the date of installation of the LC and have undertaken to replace the board. I presume the installed comm’s board is a different revision from the one that is required. If the board does indeed clear the pricing algorithm fault, so much for modularity in Engineering.
Thank you for heads up Michael!
I do not find that surprising. Australia is willingly relying on that swarm of inverters for energy security. Huawei was pushed out on grounds of national security as it comes to communications, but solar is exempt. Surely a lot of right people are making lots of money riding that wave, so I am not expecting any serious action.
At least Growatt SPF 5000 ES I did not need Internet to configure and run. All inverters I researched to replace my current SH10RS require Internet connection to be be managed. Just a week ago a firmware update was pushed into it without me asking, and I can’t find any doc re what was that update about. It is not much different from how Microsoft behaves, but in case of an inverter I’d expect an option of managing inverter locally. Clearly there is a conflict of interest between my energy security and vendor’s interest to make it cheaper and collect data. Then regulator comes with their smart meter as another attack vector.
Well said. My thoughts exactly.
I am genuinely worried about inverter security. If our grid breaks, society breaks. It is that simple.