Article by: Andacs Robert Eugen, on 06 July 2023, at 01:55 am PDT

A critical vulnerability affecting Internet-exposed devices used in solar farms poses a significant threat, as hundreds of these devices remain unpatched and actively targeted by attackers. Sold under the SolarView brand by Contec, a Japan-based company, these devices are used for monitoring power generation, storage, and distribution within solar facilities. However, a flaw designated as CVE-2022-29303 exposes them to remote attacks, enabling malicious actors to disrupt operations or gain unauthorized access to the facilities.

According to researchers from security firm VulnCheck, searches on Shodan reveal that over 600 of these vulnerable devices are accessible on the open Internet. What's more concerning is that more than two-thirds of them have not applied the necessary update to patch the critical vulnerability. Palo Alto Networks reported last month that the flaw was actively exploited by an operator of the Mirai botnet, which primarily targets Internet of Things (IoT) devices. Exploitation of these devices can result in operational disruptions and severe consequences for affected solar facilities.

VulnCheck researcher Jacob Baines emphasized the urgency of addressing the issue and monitoring public exploits for these vulnerable systems. In addition to CVE-2022-29303, Baines revealed that the same devices are also susceptible to CVE-2023-23333, a newer command-injection vulnerability with a severity rating of 9.8. While there have been no known reports of active exploitation for CVE-2023-23333, public exploit code has been available since February.

One contributing factor to the patch failures is the incorrect descriptions provided for both vulnerabilities. Baines clarified that only version 8.10 of SolarView is patched against the threats, while version 8.00 is not. Palo Alto Networks noted that the exploit activity for CVE-2022-29303 is part of a broader campaign targeting multiple IoT vulnerabilities in an attempt to spread a variant of the Mirai botnet. Exploits for these vulnerabilities have been available since May 2022, suggesting that the vulnerability may have been targeted even earlier.

Contec has not provided any guidance on these vulnerabilities on its website, and inquiries from the media have yet to receive a response from company representatives. Organizations utilizing the affected devices are strongly advised to apply the available patches without delay. Additionally, they should assess if the devices are exposed to the Internet and adjust configurations to ensure they are reachable only on internal networks, minimizing the risk of exploitation.