DIVD-2025-00011 - Failed authentication check in Growatt portal

Our reference DIVD-2025-00011
Case lead Tom Wolters
Researcher(s)
CVE(s)
Products
  • https://server.growatt.com
  • https://oss.growatt.com
Versions
  • All versions before 13 June 2025
Recommendation The vulnerability has been remediated by the vendor.
Patch status Full patched
Status Open
Last modified 10 Jul 2025 10:38 CEST

Summary

Due to an error in the authenticaiton feature of the plant transfer function in the cloud platform of Growatt (either https://oss.growatt.com or https://server.growatt.com) failed to check authorisation when transfering an account from one account to another. A malicious users with a (free) installer account, could assign any plant to his account without this being noticable by the end user.

An attacker that is able to connect a significant number of plants with sufficient power and switches then at the right timing would potentially be able to disrupt the opwer grid.

What you can do

The vulnerability is in the cloud services of the vendor. The vendor remediated the vulnerability by disabling the plant transfer functionallity. There is not action to be taken by the user.

What we are doing

We have disclosed the vulnerability to the vendor who, once we established contact, took prompt action.

Timeline

Date Description
11 Apr 2025 Vulnerability reported to DIVD
11 Apr 2025 First attempt to contact vendor
23 Apr 2025 Second attempt to contact vendor
11 May 2025 Vendor considered informed
12 May 2025 Third attempt to contact vendor
04 Jun 2025 Fourth attempt to contact vendor
07 Jun 2025 Vendor acknowledges contact
11 Jun 2025 Vendor receives full details
11 Jun 2025 Acknowledges receipt
11 May 2025-
11 Jun 2025		 Time to acknowledge
13 Jun 2025 Vendor fixes vunerability
11 May 2025-
13 Jun 2025		 Time to patch
17 Jun 2025 Vendor reports vulnerabilities as fixed
gantt title DIVD-2025-00011 - Failed authentication check in Growatt portal dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00011 - Failed authentication check in Growatt portal (still open) :2025-04-11, 2025-07-28 section Events Vulnerability reported to DIVD : milestone, 2025-04-11, 0d First attempt to contact vendor : milestone, 2025-04-11, 0d Second attempt to contact vendor : milestone, 2025-04-23, 0d Vendor considered informed : milestone, 2025-05-11, 0d Third attempt to contact vendor : milestone, 2025-05-12, 0d Fourth attempt to contact vendor : milestone, 2025-06-04, 0d Vendor acknowledges contact : milestone, 2025-06-07, 0d Vendor receives full details : milestone, 2025-06-11, 0d Acknowledges receipt : milestone, 2025-06-11, 0d Time to acknowledge (31 days) : 2025-05-11, 2025-06-11 Vendor fixes vunerability : milestone, 2025-06-13, 0d Time to patch (33 days) : 2025-05-11, 2025-06-13 Vendor reports vulnerabilities as fixed : milestone, 2025-06-17, 0d

More information