Multiple vulnerabilities in Growatt cloud portal
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 30 |
| CVE-ID | CVE-2025-27565 CVE-2025-25276 CVE-2025-31950 CVE-2025-27575 CVE-2025-31945 CVE-2025-24487 CVE-2025-30511 CVE-2025-31933 CVE-2025-31949 CVE-2025-31357 CVE-2025-31941 CVE-2025-27568 CVE-2025-26857 CVE-2025-30254 CVE-2025-27939 CVE-2025-27938 CVE-2025-30514 CVE-2025-31654 CVE-2025-27719 CVE-2025-24850 CVE-2025-30510 CVE-2025-24297 CVE-2025-27927 CVE-2025-30512 CVE-2025-31360 CVE-2025-31147 CVE-2025-30257 CVE-2025-27561 CVE-2025-24315 CVE-2025-27929 |
| CWE-ID | CWE-639 CWE-79 CWE-351 CWE-16 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Growatt cloud portal Other software / Other software solutions |
| Vendor | Growatt |
Security Bulletin
This security bulletin contains information about 30 vulnerabilities.
1) Authorization bypass through user-controlled key
EUVDB-ID: #VU108038
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-27565
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can delete any user's "rooms" by knowing the user's and room IDs.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Authorization bypass through user-controlled key
EUVDB-ID: #VU108041
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-25276
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can hijack other users' devices and potentially control them.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Authorization bypass through user-controlled key
EUVDB-ID: #VU108036
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31950
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain EV charger energy consumption information of other users.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Authorization bypass through user-controlled key
EUVDB-ID: #VU108037
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-27575
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Authorization bypass through user-controlled key
EUVDB-ID: #VU108035
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31945
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain other users' charger information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Authorization bypass through user-controlled key
EUVDB-ID: #VU108020
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-24487
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can infer the existence of usernames in the system by querying an API.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Stored cross-site scripting
EUVDB-ID: #VU108008
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-30511
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the plant name value while adding or editing a plant. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Authorization bypass through user-controlled key
EUVDB-ID: #VU108009
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31933
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can check the existence of usernames in the system by querying an API.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Authorization bypass through user-controlled key
EUVDB-ID: #VU108010
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31949
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain any plant name by knowing the plant ID.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Authorization bypass through user-controlled key
EUVDB-ID: #VU108017
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31357
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a user's plant list by knowing the username.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Authorization bypass through user-controlled key
EUVDB-ID: #VU108018
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31941
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a list of smart devices by knowing a valid username.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Authorization bypass through user-controlled key
EUVDB-ID: #VU108023
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-27568
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can get users' emails by knowing usernames.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Authorization bypass through user-controlled key
EUVDB-ID: #VU108034
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-26857
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can rename arbitrary devices of arbitrary users (i.e., EV chargers).
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Authorization bypass through user-controlled key
EUVDB-ID: #VU108025
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30254
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a serial number of a smart meter(s) using its owner's username.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Authorization bypass through user-controlled key
EUVDB-ID: #VU108026
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-27939
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can change registered email addresses of other users and take over arbitrary accounts.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Authorization bypass through user-controlled key
EUVDB-ID: #VU108027
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-27938
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain restricted information about a user's smart device collections (i.e., "rooms").
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Authorization bypass through user-controlled key
EUVDB-ID: #VU108028
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30514
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain restricted information about a user's smart device collections (i.e., "scenes").
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Authorization bypass through user-controlled key
EUVDB-ID: #VU108029
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31654
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Authorization bypass through user-controlled key
EUVDB-ID: #VU108033
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-27719
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can query an API endpoint and get device details.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Authorization bypass through user-controlled key
EUVDB-ID: #VU108079
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-24850
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can export other users' plant information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Insufficient Type Distinction
EUVDB-ID: #VU108080
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-30510
CWE-ID:
CWE-351 - Insufficient Type Distinction
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient type distinction. A remote attacker can upload an arbitrary file instead of a plant image.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Stored cross-site scripting
EUVDB-ID: #VU108081
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-24297
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Authorization bypass through user-controlled key
EUVDB-ID: #VU108082
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-27927
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can obtain a list of smart devices by knowing a valid username through an unprotected API.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Configuration
EUVDB-ID: #VU108083
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30512
CWE-ID:
CWE-16 - Configuration
Exploit availability: No
DescriptionThe issue may allow a local user to bypass implemented security restrictions.
The issue exists due to external control of system or configuration setting. A remote attacker can send configuration settings to device and possible perform physical actions remotely.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Authorization bypass through user-controlled key
EUVDB-ID: #VU108084
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31360
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can trigger device actions associated with specific "scenes" of arbitrary users.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Authorization bypass through user-controlled key
EUVDB-ID: #VU108085
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31147
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can query information about total energy consumed by EV chargers of arbitrary users.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Authorization bypass through user-controlled key
EUVDB-ID: #VU108086
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30257
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can retrieve serial number of smart meters associated to a specific user account.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Authorization bypass through user-controlled key
EUVDB-ID: #VU108087
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-27561
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can rename "rooms" of arbitrary users.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Authorization bypass through user-controlled key
EUVDB-ID: #VU108088
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-24315
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can add devices of other users to their scenes.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Authorization bypass through user-controlled key
EUVDB-ID: #VU108089
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-27929
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can retrieve full list of users associated with arbitrary accounts.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrowatt cloud portal: - - 3.6.0
CPE2.3- cpe:2.3:a:growatt:growatt_cloud_portal:*:*:*:*:*:*:*:*
- cpe:2.3:a:growatt:growatt_cloud_portal:3.6.0:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
