- AustraliaEnglish
- BelgiumDutchFrench
- BrasilPortuguese
- BulgariaBulgarian
- CanadaEnglish
- Greater ChinaSimplified ChineseTraditional Chinese
- CzechCzech
- FinlandFinnish
- FranceFrench
- Germany (Global)GermanEnglishFrenchSpanish
- GreeceGreek
- HungaryHungarian
- IndiaEnglish
- ItalyItalian
- IrelandEnglish
- JapanJapanese
- IsraelHebrew
- KoreaKorean
- LuxembourgFrench
- MalaysiaMalaysian
- MexicoSpanish
- Middle East & AfricaEnglish
- NetherlandsDutch
- PolandPolish
- PortugalPortuguese
- RomaniaRomanian
- SlovakiaCzech
- SpainSpanish
- South AmericaSpanish
- South AsiaEnglish
- South East AsiaEnglish
- SwedenSwedish
- ThailandThai
- TurkeyTurkish
- UkraineUkrainian
- United KingdomEnglish
- United States of AmericaEnglish
Current security notifications
Please also read the information and documentation in our document archive.
SMA is member of CERT@VDE.
All advisories as well as news-feed options for SMA reports can be found there.
May 13th, 2025 | Sunny Portal demo system privilege escalation
An unauthenticated attacker could get access to systems within the demo-system area. Limited to the demo-systems provided there the attacker could change parameters and configuration data. No indicators of compromise have been identified.
The classic portal www.sunnyportal.com was affected before February 20th, 2025.
SMA has fixed the vulnerability on the web service. No customer action is required.
For more details, including the advisory, please visit https://certvde.com/en/advisories/VDE-2025-010.
February 25th, 2025 | Sunny Portal Remote Code Execution
An unauthenticated remote attacker can upload an '.aspx' file instead of a PV system picture through the demo account. The code can be executed in the security context of the front-end webserver, limited by the specific user rights.
The portal www.sunnyportal.com was affected before December 19th, 2024.
SMA has fixed the vulnerability on the web service. No customer action is required.
For more details, including the advisory, please visit https://certvde.com/en/advisories/VDE-2025-012.
January 27th, 2025 | Clickjacking vulnerability in Sunny Webbox
A security researcher discovered that in the affected products Sunny Webbox / Sunny Webbox with Bluetooth a clickjacking vulnerability in the web frontend exists. An attacker could make the user to perform clicks on a malicious website which seems to be the WebUI of the affected product. The affected products are out of support (End-of-Life 2015-12-31).
A user can be made to perform unwanted actions on other systems while he expects to perform a click on the Webbox WebUI.
Replace out-of-support Sunny Webbox / Sunny Webbox by Bluetooth to SMA Data Manager M or SMA Data Manager L. Please note technical information on the switchover to be found at www.sma-sunny.com/en/how-to-replace-old-data-logger/
If you can not replace your Webbox by a SMA Data Manager M or L then isolate the affected network segment by blocking all incoming network traffic. Especially never configure your network to allow a port forwarding to SMA Webbox.
Further details, including advisory, can be found at https://certvde.com/en/advisories/VDE-2024-075
January 27th, 2025 | Cross Site Request Forgery vulnerability im SMA Cluster Controller
A security researcher discovered a Cross Site Request Forgery (CSRF, XSRF) vulnerability in SMA Cluster Controller. The affected products are out of support (End-of-Life 2018-06-30).
The vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with the user's permissions on the affected device.
Replace out-of-support Cluster Controller by SMA Data Manager M or SMA Data Manager L. Please note technical information on the switchover to be found at https://www.sma-sunny.com/en/how-to-replace-old-data-logger/
If you can not replace your Cluster Controller by a SMA Data Manager M or L then isolate the affected network segment by blocking all incoming network traffic. Especially never configure your network to allow a port forwarding to SMA Cluster Controller. Avoid accessing Internet resources while logged in to the Cluster Controller.
Further details, including advisory, can be found at https://certvde.com/en/advisories/VDE-2024-020
November 27th, 2024 | SQL-Injection vulnerability in SMA Sunny Central
In SMA Sunny Central inverters with firmware version numbers < 10.01.18.R, there is an authenticated (administration rights) SQL injection vulnerability on the administration panel that allows access to a database. The database that can be accessed is a log database that stores measurement data for graphical representation.
Further details, including the advisory, can be found at https://certvde.com/en/advisories/VDE-2024-074.
July 13, 2023 | “MOVEit” cybersecurity incident
Information on the “MOVEit” cybersecurity incident
In June 2023, we identified a cybersecurity incident at SMA in connection with the MOVEit software. The affected system was immediately shut down and examined in line with our successfully established cybersecurity processes, and the appropriate emergency measures were implemented. A damage analysis revealed that no personal details or business-critical data were affected, because the system in question was isolated from SMA’s network of core systems. Data encryption did not take place.
This incident does not result in any risks to SMA’s business partners or employees.
If you have any questions about this or any other cyber-security-related issues, please do not hesitate to contact Information-Security@sma.de.
December 20, 2021 | Log4Shell vulnerability
As already reported in the international media, a cyber security vulnerability has been identified (CVE-2021-44228, https://nvd.nist.gov/vuln/detail/CVE-2021-44228). It enables hackers to execute malicious program codes on the target systems, compromising system security as a result.
SMA inverters and the SMA monitoring portals are not affected by this latest vulnerability, although certain other SMA products may be affected. For these products, SMA will soon provide automatic software updates to counter the vulnerability. To make it harder for hackers to attack vulnerable systems, SMA will not disclose the products and versions in question until after the automatic updates have been rolled out.
Operators of large-scale SMA systems that are not subject to the automatic update will be contacted directly by the SMA service team and the updates will be installed by agreement.
You can find further information about this issue in the SMA manufacturer declaration →. It is updated regularly.
If you have any further questions, please contact SMA Information-Security@sma.de.
We are doing everything we can to solve this problem and would like to apologize for any inconvenience caused.