SolarEdge Monitoring Platform Vulnerable to CSRF & OOB Injection Allowing Session Hijack and Potential PV System Control
What Happened — A business‑logic flaw in the /solaredge-web/p/initClient endpoint permits unauthenticated cross‑site request forgery (CSRF) and out‑of‑band (OOB) header injection via crafted X‑Forwarded‑For and Referer values. An attacker can force a legitimate operator’s browser to execute arbitrary commands and can cause the SolarEdge backend to reach attacker‑controlled domains, potentially hijacking sessions and manipulating photovoltaic (PV) system operations.
Why It Matters for TPRM —
- The vulnerability resides in a SaaS monitoring service that many utilities and solar‑farm operators rely on as a third‑party provider.
- Successful exploitation could give threat actors indirect control over critical energy‑generation assets.
- No public CVE; the issue is disclosed only via Exploit‑DB, meaning many customers may be unaware of the risk.
Who Is Affected — Energy & Utilities (solar‑power generation), Cloud‑hosted monitoring SaaS vendors, and any organization that integrates SolarEdge’s monitoring platform into its operational workflow.
Recommended Actions —
- Immediately verify whether your organization uses SolarEdge’s Monitoring Platform.
- Apply vendor‑provided mitigations (input validation, CSRF tokens, header sanitisation) or block the vulnerable endpoint at the perimeter.
- Conduct a focused security review of third‑party SaaS integrations for similar business‑logic flaws.
- Update your third‑party risk register to reflect the elevated risk to critical energy infrastructure.
Technical Notes — The flaw is a CSRF/OOB injection (no CVE assigned). Exploitation requires a crafted POST request to /solaredge-web/p/initClient and manipulation of X‑Forwarded‑For/Referer headers, leading to session cookie overwrite and forced outbound requests. Impact includes session compromise and potential unauthorized control of PV systems. Source: Exploit‑DB 52569