← Back

CVE-2025-36752

nvd nist
Published: Dec 13, 2025Modified: Jan 14, 2026

JSON object

Loading...
9.4
Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: csirt@divd.nl (Secondary)

Description

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.

Affected (1)

Growatt
1 product
Shine Lan X Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Shine Lan X Firmware
From 3.6.0.0 to 3.6.0.2
Running on/withPlatform Versions
Growatt
Shine Lan X
All versions

Related CWEs

CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.

References (1)

Source: csirt@divd.nl
Third Party Advisory

Timeline

No history available yet.