SB2025043030 - Multiple vulnerabilities in Growatt cloud portal
Published: April 30, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 30 vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27565)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can delete any user's "rooms" by knowing the user's and room IDs.
2) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-25276)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can hijack other users' devices and potentially control them.
3) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31950)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain EV charger energy consumption information of other users.
4) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27575)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
5) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31945)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain other users' charger information.
6) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-24487)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can infer the existence of usernames in the system by querying an API.
7) Stored cross-site scripting (CVE-ID: CVE-2025-30511)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the plant name value while adding or editing a plant. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31933)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can check the existence of usernames in the system by querying an API.
9) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31949)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain any plant name by knowing the plant ID.
10) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31357)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a user's plant list by knowing the username.
11) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31941)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a list of smart devices by knowing a valid username.
12) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27568)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can get users' emails by knowing usernames.
13) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-26857)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can rename arbitrary devices of arbitrary users (i.e., EV chargers).
14) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-30254)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a serial number of a smart meter(s) using its owner's username.
15) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27939)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can change registered email addresses of other users and take over arbitrary accounts.
16) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27938)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain restricted information about a user's smart device collections (i.e., "rooms").
17) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-30514)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain restricted information about a user's smart device collections (i.e., "scenes").
18) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31654)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
19) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27719)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can query an API endpoint and get device details.
20) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-24850)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can export other users' plant information.
21) Insufficient Type Distinction (CVE-ID: CVE-2025-30510)
CWE-ID: CWE-351 - Insufficient Type Distinction
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient type distinction. A remote attacker can upload an arbitrary file instead of a plant image.
22) Stored cross-site scripting (CVE-ID: CVE-2025-24297)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
23) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27927)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a list of smart devices by knowing a valid username through an unprotected API.
24) Configuration (CVE-ID: CVE-2025-30512)
CWE-ID: CWE-16 - Configuration
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The issue may allow a local user to bypass implemented security restrictions.
The issue exists due to external control of system or configuration setting. A remote attacker can send configuration settings to device and possible perform physical actions remotely.
25) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31360)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can trigger device actions associated with specific "scenes" of arbitrary users.
26) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31147)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can query information about total energy consumed by EV chargers of arbitrary users.
27) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-30257)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can retrieve serial number of smart meters associated to a specific user account.
28) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27561)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can rename "rooms" of arbitrary users.
29) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-24315)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can add devices of other users to their scenes.
30) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27929)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can retrieve full list of users associated with arbitrary accounts.
Remediation
Install update from vendor's website.