VDE-2025-050

Vulnerability from csaf_smasolartechnologyag - Published: 2025-08-19 10:00 - Updated: 2025-08-19 10:00
Summary
SMA: Sunny Portal limited disclosure of personal data of registered users to an authenticated user
Severity
Medium
Notes
LICENSE: [CERT@VDE CSAF Template](https://github.com/CERTVDE/CSAF-Template) © 2024 by [CERT@VDE](https://certvde.com) is licensed under [CC BY-NC 4.0](https://creativecommons.org/licenses/by-nc/4.0/?ref=chooser-v1) This document note may only be removed in order to create a CSAF advisory based on this template.
Summary: A security researcher discovered a data disclosure vulnerability in Sunny Portal powered by ennexOS, ennexos.sunnyportal.com. A regularly authenticated user can receive the name of an other registered Sunny Portal user by entering the email address of this registered user.
Impact: A regularly authenticated user of Sunny Portal could receive name and surname of other registered users.
Remediation: No action required. The vulnerability was closed in the Sunny Portal powered by ennexOS on August, 15th 2025.
Product Description: Sunny Portal powered by ennexOS is an online portal for SMA customers to monitor their PV Systems
CVE-2025-41685

A low-privileged remote attacker can obtain the username of another registered Sunny Portal user by entering that user's email address.

6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Vendor Fix SMA has fixed the vulnerability on the Sunny Portal powered by ennexOS. No customer action required.
References
Acknowledgments
CERT@VDE certvde.com
Jannik Zimmer
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "organization": "Jannik Zimmer",
        "summary": "Reporting"
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "Medium"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "audience": "csaf creator",
        "category": "other",
        "text": "[CERT@VDE CSAF Template](https://github.com/CERTVDE/CSAF-Template) \u00a9 2024 by [CERT@VDE](https://certvde.com) is licensed under [CC BY-NC 4.0](https://creativecommons.org/licenses/by-nc/4.0/?ref=chooser-v1) \n\nThis document note may only be removed in order to create a CSAF advisory based on this template.",
        "title": "LICENSE"
      },
      {
        "category": "summary",
        "text": "A security researcher discovered a data disclosure vulnerability in Sunny Portal powered by ennexOS, ennexos.sunnyportal.com.\nA regularly authenticated user can receive the name of an other registered Sunny Portal user by entering the email address of this registered user.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "A regularly authenticated user of Sunny Portal could receive name and surname of other registered users.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "No action required. The vulnerability was closed in the Sunny Portal powered by ennexOS on August, 15th 2025.",
        "title": "Remediation"
      },
      {
        "category": "description",
        "text": "Sunny Portal powered by ennexOS is an online portal for SMA customers to monitor their PV Systems",
        "title": "Product Description"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "information-security@sma.de",
      "name": "SMA Solar Technology AG",
      "namespace": "https://sma.de"
    },
    "references": [
      {
        "category": "external",
        "summary": "SMA PSIRT",
        "url": "https://www.sma.de/en/cybersecurity/product-security"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for SMA",
        "url": "https://certvde.com/en/advisories/vendor/sma/"
      },
      {
        "category": "self",
        "summary": "VDE-2025-050: SMA: Sunny Portal limited disclosure of personal data of registered users to an authenticated user - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-050"
      },
      {
        "category": "self",
        "summary": "VDE-2025-050: SMA: Sunny Portal limited disclosure of personal data of registered users to an authenticated user - CSAF",
        "url": "https://sma.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-050.json"
      }
    ],
    "title": "SMA: Sunny Portal limited disclosure of personal data of registered users to an authenticated user",
    "tracking": {
      "aliases": [
        "VDE-2025-050"
      ],
      "current_release_date": "2025-08-19T10:00:00.000Z",
      "generator": {
        "date": "2025-07-28T08:00:30.061Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.26"
        }
      },
      "id": "VDE-2025-050",
      "initial_release_date": "2025-08-19T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-08-19T10:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c15.08.2025",
                    "product": {
                      "name": "ennexos.sunnyportal.com \u003c15.08.2025",
                      "product_id": "CSAFPID-51001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "15.08.2025",
                    "product": {
                      "name": "Software ennexos.sunnyportal.com 15.08.2025",
                      "product_id": "CSAFPID-52001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "ennexos.sunnyportal.com"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "SMA Solar Technology AG"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-41685",
      "cwe": {
        "id": "CWE-359",
        "name": "Exposure of Private Personal Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "A low-privileged remote attacker can obtain the username of another registered Sunny Portal user by entering that user\u0027s email address.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001"
        ],
        "known_affected": [
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-15T10:00:00.000Z",
          "details": "SMA has fixed the vulnerability on the Sunny Portal powered by ennexOS. No customer action required.",
          "product_ids": [
            "CSAFPID-52001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 6.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CVE-2025-41685"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.