CVE-2025-29757

CVE

CVE-2025-29757

Title

Case

DIVD-2025-00011

Credits

Humza Ahmad (finder)
Frank Breedijk (DIVD) (analyst)

Affected products

Product	Affected	Unaffected
Growatt https://oss.growatt.com	>= 0 to < 13 Jun 2025 (date)
Growatt https://oss.growatt.com		everything else
Growatt https://server.growatt.com	>= 0 to < 13 June 2025 (date)
Growatt https://server.growatt.com		everything else

CVSS

Base score	9.4 - CRITICAL
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	LOW
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Availability Impact
Vulnerable system	NONE	Subsequent systems	HIGH
Safety impact	PRESENT
Automatable	NOT_DEFINED
Recovery	NOT_DEFINED
Value Density	CONCENTRATED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://server.growatt.com ( product )
https://oss.growatt.com ( product )
https://csirt.divd.nl/CVE-2025-29757 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2025-00011 ( third-party-advisory )

Problem type(s)

CWE-863 Incorrect Authorization

Impact(s)

CAPEC-395 Bypassing Electronic Locks and Access Controls

Date published

09 Jul 2025 22:00 UTC

Last modified

Description

An incorrect authorisation check in the the 'plant transfer' function of the Growatt cloud service allowed a malicous attacker with a valid account to transfer any plant into his/her account.

JSON version.

DIVD CSIRT

CVE-2025-29757

Description