CVE-2022-29303

What is SolarView Compact?

SolarView Compact is a solar power monitoring system developed by Contec Co., Ltd., used in industrial and commercial photovoltaic (PV) installations to monitor energy generation, equipment status, and system performance. It provides a web-based management interface accessible over the local network for configuration and diagnostics, including email alert functions that notify operators of system anomalies. SolarView Compact devices are deployed in industrial control system (ICS) environments, where they may be connected to both IT and OT networks and are often exposed to the internet for remote monitoring by facility operators.

Overview

CVE-2022-29303 is a critical OS command injection vulnerability (CWE-78, CVSS 9.8) in the SolarView Compact web server's "send test mail" console. An unauthenticated attacker can inject arbitrary operating system commands through the email test function parameters, achieving remote code execution with the privileges of the web server process. CISA added this to KEV more than 14 months after CVE publication (July 2023), indicating active exploitation of unpatched internet-facing devices long after a patch became available.

Affected Versions

CISA's required action notes that if updates are unavailable, the product should be discontinued.

Technical Details

The vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command) exists in the web application's email test functionality. When a user submits the test mail form, the web server constructs a mail command using user-supplied input parameters (such as the mail server address or recipient) without sanitizing shell metacharacters.

An unauthenticated attacker can submit crafted input containing OS command separators and arbitrary shell commands. The web server executes these commands in the context of its operating system user account, allowing the attacker to:

• Read sensitive configuration files including network credentials and API keys
• Establish persistent access by creating new accounts or installing backdoors
• Pivot to connected operational technology (OT) systems on the same network
• Disrupt solar facility monitoring and control functions

The attack requires only HTTP access to the SolarView Compact web interface, no authentication, and a single crafted POST request.

Discovery

The vulnerability was discovered and reported to the Japan Vulnerability Notes (JVN) program, which published advisory JVNVU92327282 concurrently with the CVE publication in May 2022. SolarView Compact is a Japanese product, and JVN is the primary disclosure channel for Japanese vendors.

Exploitation Context

SolarView Compact devices are attractive targets because:

• Solar monitoring systems are often internet-facing to allow remote management by operators and installers
• They sit at the boundary between IT networks and OT/ICS environments — compromising one provides access to both
• Energy sector ICS networks are high-value targets for nation-state actors seeking to disrupt infrastructure
• Many small solar installations lack dedicated security personnel to apply firmware updates

Active exploitation 14 months after CVE publication (when CISA added it to KEV) reflects the challenge of patching ICS devices in operational environments, where downtime for maintenance can disrupt facility monitoring. Attackers targeting ICS devices typically seek persistent access for reconnaissance of connected operational technology.

Remediation

1. Apply vendor patch: Update SolarView Compact firmware to the patched version per Contec's guidance. If no patch is available for your version, contact Contec directly.
2. Disconnect from internet if unpatched: If patching is not immediately possible, remove direct internet access to the SolarView Compact web interface. Use a VPN or bastion host for remote access.
3. Firewall the web interface: Restrict access to the SolarView Compact web management port (typically HTTP/HTTPS) to authorized management networks only.
4. Network segmentation: Ensure SolarView Compact is isolated on a dedicated OT/ICS VLAN with limited connectivity to enterprise IT networks.
5. Monitor for anomalies: Review SolarView Compact logs for unexpected network connections or system configuration changes.
6. Discontinue if EoL: CISA recommends discontinuing use if updates are unavailable — solar facility operators should evaluate migrating to actively supported monitoring equipment.