← Back

CVE-2025-36747

nvd nist
Published: Dec 13, 2025Modified: Jan 14, 2026

JSON object

Loading...
9.4
Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: csirt@divd.nl (Secondary)

Description

ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.

Affected (1)

Growatt
1 product
Shine Lan X Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Shine Lan X Firmware
From 3.6.0.0 to 3.6.0.2
Running on/withPlatform Versions
Growatt
Shine Lan X
All versions

Related CWEs

CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.

References (1)

Source: csirt@divd.nl
Third Party Advisory

Timeline

No history available yet.