An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation.
Cross-Site Request Forgery
SMA Solar Technology AG
Sunny WebBox Firmware Version 1.6 and prior
This product is end-of-life and is no longer supported.
SMA recommends deactivation of port forwarding as it is not required for monitoring PV systems via the SMA Sunny Portal. If direct access to a system from the Internet is necessary, SMA recommends using an encrypted virtual private network (VPN). On delivery, any saved default passwords should also be replaced with individual secure passwords, and unused ports on the system/router should be closed.