CVE-2025-41645 is a high-severity vulnerability affecting the SMA Sunny Portal (www.sunnyportal.com), a platform used for monitoring and managing solar energy systems. The vulnerability is categorized under CWE-669, which pertains to Incorrect Resource Transfer Between Spheres. This flaw allows an unauthenticated remote attacker to hijack devices that were mistakenly created within a demo account on the portal. Essentially, the vulnerability arises because the system does not properly segregate or isolate resources (devices) associated with demo accounts from those accessible to other users. An attacker can leverage access to a demo account—despite no authentication requirements—to take control of devices erroneously linked to that account. The CVSS v3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N) indicates that the attack can be performed remotely over the network without any privileges or user interaction, and it results in a complete integrity compromise (device hijacking) without affecting confidentiality or availability. The scope is changed, meaning the attacker can affect resources beyond their initial permissions. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved and published in 2025, with CERTVDE as the assigner. Given the nature of the Sunny Portal as a critical interface for solar energy system management, this vulnerability could allow attackers to manipulate device operations, potentially causing operational disruptions or unauthorized control over energy assets.

For European organizations, especially those relying on SMA's Sunny Portal for solar energy management, this vulnerability poses significant risks. The ability to hijack devices remotely without authentication could lead to unauthorized control over solar inverters or related energy infrastructure. This could disrupt energy production, cause financial losses, or damage equipment through malicious commands. Since many European countries have invested heavily in renewable energy and smart grid technologies, exploitation could undermine energy reliability and trust in renewable infrastructure. Additionally, attackers could use compromised devices as footholds for further network intrusion or sabotage. The integrity impact is high, as attackers can alter device behavior, but confidentiality and availability impacts are limited. The lack of required authentication and user interaction lowers the barrier for exploitation, increasing the threat level. The absence of known exploits suggests the vulnerability is not yet actively exploited, but the potential impact warrants urgent attention.

Given the absence of official patches, European organizations should implement compensating controls immediately. These include: 1) Restricting or disabling demo account access on the Sunny Portal to prevent unauthorized use. 2) Auditing all devices associated with demo accounts and reassigning or removing any mistakenly created devices. 3) Implementing network-level access controls to limit exposure of the Sunny Portal to trusted IP ranges or VPN-only access. 4) Monitoring portal logs for unusual activity indicative of unauthorized device control attempts. 5) Coordinating with SMA for timely patch releases and applying updates as soon as they become available. 6) Educating operational staff about the vulnerability and enforcing strict account management policies to prevent resource misallocation. 7) Considering additional endpoint or device-level security controls to detect or prevent unauthorized commands. These targeted measures go beyond generic advice by focusing on the specific vulnerability vector—demo account misuse and resource misallocation.