Facepalm: Contec is an Osaka-based company that sells a dedicated monitoring system for solar power plants known as SolarView. Despite its widespread installation in over 30,000 power stations, the brand is plagued by significant security vulnerabilities that can be exploited remotely by attackers.
Contec explains that SolarView devices are designed to "monitor and visualize" power generation, equipment status, and error alarms in various types of solar-based power stations. However, these monitoring devices have recently raised concerns due to the presence of severe security vulnerabilities in their firmware, which have already been exploited.
According to "vulnerability intelligence" company VulnCheck, the search engine for vulnerable devices, Shodan, currently indexes over 600 SolarView systems. These devices are accessible through the open Internet, and that's a major concern. The second issue, tracked as CVE-2022-29303, is a command injection vulnerability with a "critical" severity score of 9.8 out of 10.
Version 6.00 of the SolarView Compact system is susceptible to a critical security flaw that enables remote execution of malicious commands. Cyber-criminals have actively exploited this vulnerability to spread a variant of the Mirai botnet, infecting routers and IoT devices. If a SolarView system is compromised, it has the potential to disrupt the visibility of solar power plants for companies, presenting either a troublesome or highly dangerous situation depending on the application and location of the monitoring devices.
Furthermore, VulnCheck emphasizes that the CVE description for the affected firmware version may not accurately reflect the true number of vulnerable devices. Version 6.00 was released in 2019, but the command injection bug is still present in subsequent firmware releases at least until version 8.10 (from this year).
According to VulnCheck analysts, less than a third of Internet-facing SolarView systems have been patched against CVE-2022-29303. Furthermore, there are indications that this vulnerability may have been exploited in the wild for a significant period.
Moreover, the SolarView firmware appears to be affected by additional vulnerabilities including CVE-2023-23333, which is another remote code execution-type flaw, and CVE-2022-44354, which could be exploited to upload a malicious PHP webshell to a vulnerable system.
VulnCheck emphasizes the importance for sysadmins to consistently install the latest updates for critical systems. Multiple exploits targeting the SolarView CVE-2023-23333 flaw are available on GitHub, and affected organizations should definitely check the systems that appear in their public IP space and "track public exploits for systems that they rely on."