Growatt

growatt

35 CVEs • 3 products

Products (3)

Click to collapse

Toggle

CVEs (35)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-36753 1Growatt 1Shine Lan X Firmware Jan 14, 2026 Dec 13, 2025 8.6 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device
CVE-2025-36752 1Growatt 1Shine Lan X Firmware Jan 14, 2026 Dec 13, 2025 9.4 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. Th...Show more Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.Show less
CVE-2025-36750 1Growatt 1Shine Lan X Firmware Jan 14, 2026 Dec 13, 2025 8.5 HIGH· v4 5.4 MEDIUM· v3 N/A· v2 ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitima...Show more ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.Show less
CVE-2025-36748 1Growatt 1Shine Lan X Firmware Jan 14, 2026 Dec 13, 2025 8.4 HIGH· v4 5.4 MEDIUM· v3 N/A· v2 ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attac...Show more ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.Show less
CVE-2025-36747 1Growatt 1Shine Lan X Firmware Jan 14, 2026 Dec 13, 2025 9.4 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files b...Show more ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.Show less
CVE-2025-31950 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can obtain EV charger energy consumption information of other users.
CVE-2025-31945 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can obtain other users' charger information.
CVE-2025-31654 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
CVE-2025-31360 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.
CVE-2025-31147 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
CVE-2025-30512 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 6.5 MEDIUM· v3 N/A· v2 Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
CVE-2025-30510 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 An attacker can upload an arbitrary file instead of a plant image.
CVE-2025-30257 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
CVE-2025-27929 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
CVE-2025-27927 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
CVE-2025-27719 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Unauthenticated attackers can query an API endpoint and get device details.
CVE-2025-27575 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
CVE-2025-27565 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
CVE-2025-27561 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Unauthenticated attackers can rename "rooms" of arbitrary users.
CVE-2025-26857 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).

12 Next