Multiple stored cross-site scripting vulnerabilities in iSolarCloud allowed attackers to run arbitrary JavaScript code in the browser of other users
Solar Energy
NTCF:
NTCF-2025-87776
CVE:
SGSA-202512-122201, SGSA-202512-122202
Product:
iSolarCloud
Vendor:
SUNGROW
Criticality:
medium
Status:
fixed
Discovered:
2025-09-25
Detail:
Public
Vulnerable version:
<2025-12-18
Fixed version:
2025-12-18
Description
iSolarCloud, the cloud platform by SUNGROW, was found to contain multiple cross-site scripting (XSS) vulnerabilities. The vendor fixed the reported vulnerabilities by December 18, 2025 and issued these advisories:
- https://www.sungrowpower.com/en/security-notice-detail-2/6233
- https://www.sungrowpower.com/en/security-notice-detail-2/6345
In accordance with NTC Vulnerability Disclosure Policy, no technical details about this vulnerability will be publicly disclosed. Further details may be provided on a case by case basis.
Please use the contact form and provide an explanation for your request.
Timeline
2025-09-25: initial discovery
2025-10-01: first contact to vendor
2025-10-01: private disclosure to vendor
2025-11-30: acknowledgment of report by vendor
2025-12-03: follow-up report for clarification
2025-12-11: initial fix deployed by vendor
2025-12-11: re-test and follow up report with additional XSS
2025-12-18: fix by vendor
2025-12-26: publication of advisories by vendor
2026-01-07: public disclosure