Threat actors have identified a critical exposure in SMA’s deprecated Sunny WebBox devices, which remain widely internet-exposed despite being discontinued over a decade ago. Nearly 35,000 solar power systems globally primarily concentrated in Germany and Greece (20% each) are vulnerable to remote compromise. These devices, used for solar inverter performance monitoring, lack modern security patches, creating a persistent attack surface. Cybersecurity experts warn that the energy sector faces heightened risks due to poor asset visibility and unmanaged communication pathways between legacy and modern infrastructure. A successful exploit could allow attackers to disrupt solar energy generation, manipulate power distribution, or even cause cascading outages in critical infrastructure. Given the scale of exposed systems spanning 42 manufacturers the threat extends beyond SMA, amplifying risks to regional energy stability. Experts emphasize that without real-time asset tracking and network segmentation, operators remain blind to lateral movement risks, leaving grids susceptible to sabotage, espionage, or large-scale operational failure. The incident underscores the urgent need for legacy system retirement and robust visibility controls in industrial environments.
Source: https://www.scworld.com/brief/almost-35k-solar-power-systems-vulnerable-to-remote-attacks
TPRM report: https://www.rankiteo.com/company/sma-solar
"id": "sma3152431112825",
"linkid": "sma-solar",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'renewable energy (solar)',
'location': ['Germany', 'global'],
'name': 'SMA Solar Technology AG',
'type': 'manufacturer'},
{'industry': 'renewable energy (solar)',
'location': ['Europe', 'Asia', 'global'],
'name': '42 unnamed solar device manufacturers',
'type': ['manufacturers', 'vendors']},
{'industry': 'energy',
'location': ['Germany (20% of exposed systems)',
'Greece (20% of exposed systems)',
'Europe',
'Asia'],
'name': 'Solar power system operators (Germany, '
'Greece, and other regions)',
'type': ['energy providers',
'critical infrastructure operators']}],
'attack_vector': ['remote exploitation',
'exposed internet-facing devices',
'legacy/deprecated systems'],
'data_breach': {'sensitivity_of_data': ['operational data',
'potentially critical infrastructure '
'metrics'],
'type_of_data_compromised': ['solar inverter performance '
'data']},
'description': 'Threat actors could remotely compromise almost 35,000 '
'internet-exposed solar power systems worldwide. Most of the '
'online solar devices, developed by 42 different companies, '
'were located in Europe and Asia, with Germany and Greece each '
'accounting for 20% of the exposed equipment. The SMA Sunny '
'WebBox device, deprecated a decade ago but still widely used '
'for solar inverter performance data gathering, remained the '
'most exposed system. The incident highlights persistent risks '
'from long-discontinued equipment and visibility challenges '
'due to infrastructure sprawl in the energy sector.',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'affected solar companies',
'concerns over critical infrastructure '
'security'],
'data_compromised': ['solar inverter performance data'],
'operational_impact': ['potential remote compromise of solar power '
'systems',
'risk to energy sector stability'],
'systems_affected': ['35,000 internet-exposed solar power systems',
'SMA Sunny WebBox devices']},
'initial_access_broker': {'entry_point': ['internet-exposed solar devices',
'legacy SMA Sunny WebBox systems'],
'high_value_targets': ['solar inverter performance '
'data',
'critical infrastructure '
'control systems']},
'investigation_status': 'reported (ongoing visibility challenges noted)',
'lessons_learned': ['Persistent risks from long-discontinued or end-of-life '
'devices in critical infrastructure.',
'Lack of visibility into exposed assets and their '
'communication pathways exacerbates vulnerabilities.',
'Infrastructure sprawl complicates asset management and '
'security monitoring.',
'Legacy systems in the energy sector remain high-value '
'targets for threat actors.'],
'post_incident_analysis': {'corrective_actions': ['Audit and decommission '
'end-of-life solar power '
'systems.',
'Deploy network '
'segmentation for OT '
'environments.',
'Enhance asset discovery '
'and communication mapping '
'tools.',
'Implement continuous '
'monitoring for exposed OT '
'devices.',
'Establish vendor '
'collaboration for legacy '
'system '
'patching/mitigation.'],
'root_causes': ['Prolonged use of '
'deprecated/end-of-life devices '
'(e.g., SMA Sunny WebBox).',
'Lack of visibility into exposed '
'assets and their communication '
'pathways.',
'Inadequate security controls for '
'internet-facing operational '
'technology (OT) systems.',
'Infrastructure sprawl leading to '
'unmanaged or forgotten devices.']},
'recommendations': ['Implement comprehensive asset visibility and '
'communication mapping for critical infrastructure.',
'Decommission or secure deprecated/end-of-life devices in '
'solar power systems.',
'Enhance monitoring for internet-exposed operational '
'technology (OT) devices.',
'Prioritize segmentation and access controls for solar '
'inverter systems.',
'Collaborate with cybersecurity vendors (e.g., Forescout, '
'Claroty) for threat detection and mitigation.'],
'references': [{'source': 'Cybersecurity Dive'},
{'source': 'Forescout Research Report'},
{'source': 'Claroty (Gary Kneeland, Senior Product Manager)'}],
'response': {'communication_strategy': ['public disclosure via Cybersecurity '
'Dive',
'expert commentary on risks'],
'enhanced_monitoring': ['recommended: asset visibility and '
'communication mapping for critical '
'infrastructure protection'],
'third_party_assistance': ['Forescout (research/reporting)',
'Claroty (analysis/commentary)']},
'title': 'Global Exposure of 35,000 Internet-Exposed Solar Power Systems',
'type': ['unauthorized access', 'exposure of critical infrastructure'],
'vulnerability_exploited': ['lack of asset visibility',
'unpatched/end-of-life devices',
'insecure communication protocols']}