CVE-2021-46416

HIGH

SUNNY TRIPOWER 5.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-46416. PoCs published by Momen Eldawakhly.

AI-analyzed exploit summary This exploit demonstrates an Insecure Direct Object Reference (IDOR) vulnerability in SAM SUNNY TRIPOWER 5.0 by manipulating the 'username' field in the cookie to access another user's session. The PoC shows how changing the 'username' value from 861 to 850 allows unauthorized access to another user's data.

Description

Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.

Exploits (1)

exploitdb WORKING POC
by Momen Eldawakhly · textwebappshardware
https://www.exploit-db.com/exploits/50860

This exploit demonstrates an Insecure Direct Object Reference (IDOR) vulnerability in SAM SUNNY TRIPOWER 5.0 by manipulating the 'username' field in the cookie to access another user's session. The PoC shows how changing the 'username' value from 861 to 850 allows unauthorized access to another user's data.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: SAM SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R
Auth required
Prerequisites: Valid session cookie · Access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.0650
EPSS Percentile 92.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-639
Status published
Products (1)
sma/sunny_tripower_firmware 3.10.16.r
Published Apr 07, 2022
Tracked Since Feb 18, 2026