{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/oob-injection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SolarEdge Monitoring Platform - Framework /solaredge-web/"],"_cs_severities":["medium"],"_cs_tags":["solaredge","csrf","oob-injection","webapps"],"_cs_type":"threat","_cs_vendors":["SolarEdge Technologies Ltd."],"content_html":"\u003cp\u003eA cross-site request forgery (CSRF) and out-of-band (OOB) injection vulnerability has been identified in the SolarEdge Monitoring Platform, specifically affecting the \u003ccode\u003e/solaredge-web/p/initClient\u003c/code\u003e endpoint. The vulnerability, discovered by nu11secur1ty, stems from a business logic flaw that allows the generation and overwriting of session parameters without proper origin validation. An attacker can leverage this vulnerability to force a legitimate operator\u0026rsquo;s browser to execute unauthorized commands. Additionally, by manipulating the \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eReferer\u003c/code\u003e headers, an attacker can force the SolarEdge internal infrastructure to initiate requests to external, attacker-controlled domains, demonstrating a lack of framework-level filtration. This could lead to session compromise and potential unauthorized control over photovoltaic systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing a POST request to \u003ccode\u003e/solaredge-web/p/initClient\u003c/code\u003e with the \u003ccode\u003ecmd=createCookie\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request sets arbitrary session parameters due to the lack of CSRF protection.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003eX-Forwarded-For\u003c/code\u003e header to point to an attacker-controlled domain (e.g., \u003ccode\u003ecn3iam50ywo00n2a5vvi3o59r0xrln9c.oastify.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker may also manipulate the \u003ccode\u003eReferer\u003c/code\u003e header to further control the request\u0026rsquo;s origin.\u003c/li\u003e\n\u003cli\u003eA victim user visits the attacker-controlled webpage, triggering the CSRF attack.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser sends the crafted POST request to the SolarEdge Monitoring Platform.\u003c/li\u003e\n\u003cli\u003eThe SolarEdge infrastructure initiates an out-of-band request to the attacker-controlled domain specified in the \u003ccode\u003eX-Forwarded-For\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the SolarEdge platform through session hijacking or gains information about the internal infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow an attacker to hijack legitimate user sessions on the SolarEdge Monitoring Platform. This can lead to unauthorized monitoring, modification, or control of physical photovoltaic systems managed through the platform. An attacker could potentially disrupt energy production, tamper with system settings, or gain access to sensitive data. The lack of specific victim count or sector information limits a precise impact assessment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement CSRF protection measures on the \u003ccode\u003e/solaredge-web/p/initClient\u003c/code\u003e endpoint to prevent unauthorized session parameter manipulation, mitigating the primary CSRF vulnerability described in the Overview.\u003c/li\u003e\n\u003cli\u003eSanitize and validate the \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eReferer\u003c/code\u003e headers to prevent out-of-band injection attacks, blocking requests to attacker-controlled domains such as \u003ccode\u003ecn3iam50ywo00n2a5vvi3o59r0xrln9c.oastify.com\u003c/code\u003e (IOC).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SolarEdge Out-of-Band Injection via X-Forwarded-For\u0026rdquo; to identify attempts to exploit this vulnerability in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T13:32:19Z","date_published":"2026-05-21T13:32:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-solaredge-csrf-oob-injection/","summary":"A CSRF-OOB-Injection vulnerability exists in SolarEdge Monitoring Platform's `/solaredge-web/p/initClient` endpoint due to improper validation of session parameters, allowing attackers to manipulate headers to initiate requests to attacker-controlled domains, potentially leading to session compromise and unauthorized system control.","title":"SolarEdge CSRF and Out-of-Band Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-solaredge-csrf-oob-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Oob-Injection","version":"https://jsonfeed.org/version/1.1"}