Critical RCE Bugs Expose Hundreds of Solar Power Stations

Recently, cybersecurity researchers at VulnCheck revealed that hundreds of internet-exposed SolarView systems on Shodan have been patched against a critical command injection vulnerability.

Experts indicated that both the Mirai botnet hackers and inexperienced individuals have already begun exploiting it, with more expected to join in.

Unit 42 researchers at Palo Alto Networks found that the Mirai botnet is exploiting a command injection vulnerability (CVE-2022-29303) in Contec’s SolarView Series software to spread.

Over 30,000 solar power stations utilize SolarView, and among the critical vulnerabilities, CVE-2022-29303 stands as one of three.

Flaw Profile

  • CVE ID: CVE-2022-29303
  • Description: SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
  • CVSS Score: 9.8
  • Severity: CRITICAL

SolarView Systems Indexed

Currently, there are over 600 systems indexed by Shodan. SolarView tracks and displays solar power generation and storage for small to medium-scale installations.

systems (Source – VulnCheck)

Given the indexed public exploits by VulnCheck Exploit Intelligence, experts delved into exploring the potential scope and impact of this exploitation in real-world scenarios.

Besides its introduction on more than 30000 power stations, Contec also highlights the deployment scenarios for:-

  • SolarView Air
  • SolarView Battery

This shows the hardware’s application in buildings and solar power plants that are commercial in nature.

While one should never come across an internet-accessible Contec SolarView due to its clear focus on ICS networks

SolarView’s impacted versions include ‘ver.6.00,’ which dates back to 2019, and since then, SolarView Compact has undergone four firmware updates:-

  • 6.20 in 2019
  • 7.00 in 2021
  • 8.00 in 2022
  • 8.10 in 2023

It implies that a limited number of exposed hosts are susceptible to the vulnerability. CVE-2022-29303 impacts the conf_mail.php endpoint of the web server, and despite version 6.20 being released after the vulnerable 6.00, it did not address the problem.

Both versions 6.00 and 6.20 were affected, with experts discovering the existence of a simple command injection in conf_mail.php since version 4.00.

Validation was implemented for the attacker-controlled $mail_address variable only in version 8.00 when conf_mail.php was included in the auth require list.

The impact extends beyond what the CVE description suggests, as less than one-third of the internet-exposed SolarView series systems have addressed CVE-2022-29303.

Vulnerable Systems (Source – VulnCheck)

The blog from Unit 42 wasn’t the initial signal of the vulnerability being exploited; since May 2022, an Exploit-DB entry for CVE-2022-29303 has existed.

Other RCEs

The SolarView systems are also impacted by a few additional unauthenticated Remote Code Executions (RCEs), and here they are mentioned below:-

Up to version 8.00, the SolarView series is vulnerable to CVE-2023-23333, and it’s a simple command injection impacting the downloader.php endpoint.

Compact versions 4.0, 5.0, and 6.0 are susceptible to CVE-2022-44354, a file upload vulnerability enabling attackers to upload a PHP web shell onto the system.

Since the SolarView series primarily serve as a monitoring system, the worst-case scenario would likely involve a loss of visibility.

The exploitation’s impact can vary significantly depending on the network integration of the SolarView hardware, potentially resulting in substantial consequences.

It is crucial for organizations to monitor their public IP space and stay updated on public exploits targeting their essential systems.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

15 hours ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

15 hours ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

16 hours ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

16 hours ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

16 hours ago

DigiEver IoT Devices Exploited To Deliver Mirai-based Malware

A new Mirai-based botnet, "Hail Cock Botnet," has been exploiting vulnerable IoT devices, including DigiEver…

16 hours ago