SB2025043030 - Multiple vulnerabilities in Growatt cloud portal

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025043030

SB2025043030 - Multiple vulnerabilities in Growatt cloud portal

Published: April 30, 2025

Security Bulletin ID SB2025043030
Severity
High
Patch available
YES
Number of vulnerabilities 30
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 7% Medium 87% Low 7%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 30 secuirty vulnerabilities.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27565)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can delete any user's "rooms" by knowing the user's and room IDs.


2) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-25276)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can hijack other users' devices and potentially control them.


3) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31950)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain EV charger energy consumption information of other users.


4) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27575)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.


5) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31945)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain other users' charger information.


6) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-24487)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can infer the existence of usernames in the system by querying an API.


7) Stored cross-site scripting (CVE-ID: CVE-2025-30511)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the plant name value while adding or editing a plant. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


8) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31933)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can check the existence of usernames in the system by querying an API.


9) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31949)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain any plant name by knowing the plant ID.


10) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31357)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a user's plant list by knowing the username.


11) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31941)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a list of smart devices by knowing a valid username.


12) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27568)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can get users' emails by knowing usernames.


13) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-26857)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can rename arbitrary devices of arbitrary users (i.e., EV chargers).


14) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-30254)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a serial number of a smart meter(s) using its owner's username.


15) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27939)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can change registered email addresses of other users and take over arbitrary accounts.


16) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27938)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain restricted information about a user's smart device collections (i.e., "rooms").


17) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-30514)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain restricted information about a user's smart device collections (i.e., "scenes").


18) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31654)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain information about the groups of the smart home devices for arbitrary users (i.e., "rooms").


19) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27719)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can query an API endpoint and get device details.


20) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-24850)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can export other users' plant information.


21) Insufficient Type Distinction (CVE-ID: CVE-2025-30510)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient type distinction. A remote attacker can upload an arbitrary file instead of a plant image.


22) Stored cross-site scripting (CVE-ID: CVE-2025-24297)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


23) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27927)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a list of smart devices by knowing a valid username through an unprotected API.


24) Configuration (CVE-ID: CVE-2025-30512)

The issue may allow a local user to bypass implemented security restrictions.

The issue exists due to external control of system or configuration setting. A remote attacker can send configuration settings to device and possible perform physical actions remotely.


25) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31360)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can trigger device actions associated with specific "scenes" of arbitrary users.


26) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-31147)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can query information about total energy consumed by EV chargers of arbitrary users.


27) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-30257)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can retrieve serial number of smart meters associated to a specific user account.


28) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27561)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can rename "rooms" of arbitrary users.


29) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-24315)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can add devices of other users to their scenes.


30) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-27929)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can retrieve full list of users associated with arbitrary accounts.


Remediation

Install update from vendor's website.

References