CVE-2025-36752

Critical CVSS: 9.4

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.

Vendor

Growatt

Product

Shine Lan-x Firmware

CWE

CWE-798

Yayın Tarihi

2025-12-13 16:16:54

Güncelleme

2026-01-14 18:05:00

Source Identifier

csirt@divd.nl

KEV Date Added

Kategoriler

CWE-798 Shine Lan-x Firmware CRITICAL Growatt 2025

Referanslar

https://csirt.divd.nl/CVE-2025-36752/

Benzer Kayıtlar

High

CVE-2025-36750

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be di…

High

CVE-2025-36753

The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to…

Critical

CVE-2025-36747

ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish…

High

CVE-2025-36748

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScr…

Medium

CVE-2025-31147

Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.

Medium

CVE-2025-31360

Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.