CVE-2025-31933

Published: Apr 15, 2025Modified: Nov 14, 2025

6.9

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: ics-cert@hq.dhs.gov (Secondary)

Description

An unauthenticated attacker can check the existence of usernames in the system by querying an API.

Affected (1)

Products: Growatt: Cloud Portal

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Growatt Cloud Portal	Up to 3.6.0

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (1)

https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04

Source: ics-cert@hq.dhs.gov

MitigationThird Party AdvisoryUS Government Resource

Timeline

No history available yet.