A US-based cybersecurity firm has released a report detailing dozens of vulnerabilities it discovered in products from some of the world’s major solar inverter manufacturers. But there’s good news.
With so many solar inverters now internet-connected, the risks associated with a mass takeover of systems by hackers looms large as a “botnet” of inverters could do widespread damage.
California’s Forescout Technologies Inc. has provided asset intelligence and control services for more than 20 years.
“The collective impact of residential solar systems on grid reliability is too significant to ignore – hospitals could lose access to critical equipment, families could go without heat in the winter or AC in a heatwave, and businesses could shut down,” according to Forescout CEO Barry Mainz. “Threat actors increasingly target critical infrastructure, making it essential to take them seriously and secure solar inverter systems before vulnerabilities lead to real-world disruptions.”
In its analysis, the firm says it discovered 46 new vulnerabilities across Sungrow, Growatt and SMA products that would have enabled attackers to compromise inverter settings or user privacy – or even take over other smart devices in a home. The good news is all of these security flaws were first responsibly disclosed by Forescout to the vendors late last year, and have since been addressed.
SMA SunnyPortal Vulnerability
Only one new security vulnerability was found associated with the grand-daddy of solar inverter producers, SMA.
The researchers found attackers were able to upload files that could be executed by the web server at sunnyportal.com, which is SMA’s platform for online monitoring. According to SMA, SunnyPortal supports more than 900,000 registered systems globally; representing more than 40 GW of solar power system capacity in over 200 countries.
The portal web site allows visitors to access a section listing publicly available solar power system profiles – and there are thousands. Forescout noticed during its testing that some system properties could be modified, including being able to upload imagery. But due to a lack of file extension checks on the back-end, with a bit of fiddling an attacker could upload code instead of an image and remotely execute this code through a browser request.
SMA fixed the issue on December 19, 2024 and then asked Forescout to check their work.
Sungrow Security Issues
Sungrow racked up 15 flaws. Among them, it was possible to take control of Sungrow inverters by chaining two vulnerabilities. Again, the company was cooperative.
“Sungrow especially engaged in very meaningful conversations about how to improve their security posture,” says ForeScout.
It’s great to see Sungrow has come a long way in its reaction to being informed by third-parties about security issues. Five years ago, it was a different story.
Note: Sungrow users were advised in late February they should update the iSolarCloud Android App to the latest version via the official app store.
Growatt Flaws
The remaining 30 security flaws were associated with Growatt products.
“Growatt acknowledged and fixed the issues, which should not require changes on the inverters, but the process took much longer and was much less collaborative.”
Forescout said it notified Growatt of the flaws on November 27, 2024, then contacted the firm several times for updates and to offer assistance. Some issues were eventually fixed on February 27, 2025 and the remaining on March 13.
Forescout also stated it discovered many similar Growatt vulnerabilities had been reported by another security researcher a couple of years prior, who claimed he received no response from Growatt. The company couldn’t confirm if Growatt addressed those issues or whether some of the “new” flaws discovered were the same issues that were never fixed.
Manufacturers Passing Muster – Sort Of
Limited analysis was also performed with three other manufacturers; GoodWe, Huawei and Solis. In the allotted time dedicated to each vendor, ForeScout did not find any significant weaknesses.
“This does not imply that these vendors are more or less secure than the others, since for some we didn’t have access to test accounts or decided not to spend more time on the analysis,” says the firm.
Forescout’s report, which goes into more detail about the vulnerabilities discovered and realistic power grid attack scenarios, can be viewed here. You can also pick up some solar inverter security tips here – while that article was published back in 2018, the basics still apply.
I have a SolarEdge inverter and I am not sure how firmware updates are performed. There is nothing obvious in the MySolarEdge app.
The SolarEdge support website has some technically complex information but I couldn’t find information on whether owners need to take any action or if updates are “automatic” or need to be done by qualified installers.
If it is working fine, why keep it connected to Internet? There are other options like https://www.home-assistant.io/integrations/solaredge/
Sungrow appears to keep their cards close to their chest, so only reverse-engineered add-ons can be found. Another reason for me to take their inverter off the wall. If anyone wants 1y.o. SH10RS – let me know.
I have had a similar situation. The installer added a SolarEdge Load Controller (LC) to run the Hot Water Service( HWS) to put the HWS on a timer internal to the SolarEdge inverter. While this functionality worked, the addition of a comm’s board behind the LC had a negative impact on the pricing algorithm of energy.
SolarEdge confirmed that a remote firmware upgrade had failed on the date of installation of the LC and have undertaken to replace the board. I presume the installed comm’s board is a different revision from the one that is required. If the board does indeed clear the pricing algorithm fault, so much for modularity in Engineering.
Thank you for heads up Michael!
I do not find that surprising. Australia is willingly relying on that swarm of inverters for energy security. Huawei was pushed out on grounds of national security as it comes to communications, but solar is exempt. Surely a lot of right people are making lots of money riding that wave, so I am not expecting any serious action.
At least Growatt SPF 5000 ES I did not need Internet to configure and run. All inverters I researched to replace my current SH10RS require Internet connection to be be managed. Just a week ago a firmware update was pushed into it without me asking, and I can’t find any doc re what was that update about. It is not much different from how Microsoft behaves, but in case of an inverter I’d expect an option of managing inverter locally. Clearly there is a conflict of interest between my energy security and vendor’s interest to make it cheaper and collect data. Then regulator comes with their smart meter as another attack vector.
Well said. My thoughts exactly.
I am genuinely worried about inverter security. If our grid breaks, society breaks. It is that simple.
Thanks Gate, exactly what attention should be on. Did you get the Growatt? Are you saying you only found that model in that category of not net connected functional inverters? Thanks again
My journey started quite some time ago. Because I still hope to rebuild what is called ‘house’ in this land, the 2 of SPF5000ES were supposed to be running a separate circuit not connected to the grid, powering what was not for demolition, serving as a fallback. Those we flexible to take different battery chemistries, including led. They could produce even without being connected to a battery as well. The problem was that those have small built-in fans. I would not damage my mental health listening to that level of noise for years to come, so they had to be returned.
If you install Home Assistant, it already has integrations with some inverter brands, How much integration I don’t know. What I know, Sungrow is the one not publishing their API, therefore no official integration, just hacks you need to make work somehow. Sungrow also locks you into their ecosystem, which I consider malicious. Sadly, I’ve got stuck with them because the only hybrid with 3+ MPPTs available on the island 🙁
Hi Gate,
Your SPF inverters sound like a Growatt? MPP? cheap brands mean you’ve dodged a bullet there.
You may want to check the CEC approved website listings but there’s other 3 channel inverters.
GoodWe MS Series – Available in 5-10 kW models, this series features 3 MPPTs
Deye SUN-16K-SG01LP1-EU – also 16 kW single-phase hybrid.
Fronius Gen 24 have open communications protocols and there’s a good chance the extra current ratings they handle will let you parallel an East & West array for 3 strings into two MPPTs.
REC alpha and some Trina modules have high voltage & relatively low (10amp) current output which helps.
I approached GoodWe and a few installers regarding GW9.99K-EHB-AU-G11 option. They talked to a GoodWe rep and were back to me saying there is no stock available on the island and likely not CEC-approved.
GoodWe never provided a meaningful reply, which is also a red flag, as is their website.
Because of the situation created by Labour’s bribe and tariff wars I am already at the point of no return with the Sungrow ;( ; best to invest in the stock and labour now rather than later.
I may be for a big buyer remorse later when China dumps their goods on us because of the US tariffs, but by then it will also be a different AU$, installer shortage and other issues. After the Labour’s announcement CNY to AUD jumped higher than ever in the last 5 years, before falling back after one week. What can we know about the future when even the History is unpredictable 🙂