Security researchers have discovered the exploitation of vulnerabilities in the SolarView Series, an industrial control systems (ICS) hardware widely used for monitoring solar power generation and storage.
The vulnerability tracked as CVE-2022-29303, is described as an unauthenticated and remote command injection vulnerability affecting the Contec SolarView Series, poses a significant threat to organizations relying on these ICS devices.
Subsequent to the investigation it has been discovered the impact of this vulnerability extends far beyond the initially reported subset of affected systems. Less than one-third of the internet-facing SolarView installations have applied the necessary patches, exposing many systems to exploitation.
Researchers also uncovered two additional unauthenticated, remote code execution vulnerabilities affecting the SolarView Series. CVE-2023-23333 and CVE-2022-44354, which can enable attackers to execute arbitrary commands and upload malicious PHP web shells.
The active exploitation of these vulnerabilities is evident from multiple sources, including Exploit-DB entries, GitHub exploits, and even a publicly available YouTube video demonstrating an attack on a SolarView system.
Researchers have determined that there are a few hundred internet-facing systems that remain affected by these issues. When considered in isolation, exploitation of this system is not significant. The SolarView series are all monitoring systems, so loss of view (T0829) is likely the worst-case scenario.
The impact of exploitation could be high impact depending on the network the SolarView hardware is integrated. If the hardware is part of a solar power generation site, and then the attacker may affect loss of productivity and revenue (T0828) by using the hardware as a network pivot to attack other ICS resources
To safeguard critical infrastructure and prevent unauthorized access, organizations using SolarView hardware must swiftly apply patches.
This research was documented by researchers from VulnCheck