CVE-2025-36744

SolarEdge SE3680H - Information Exposure during Bootloader Loop

CVE

CVE-2025-36744

Title

SolarEdge SE3680H - Information Exposure during Bootloader Loop

Credits

Alexandros Tokatlis (ENCS) (finder)
Victor Pasman (DIVD) (analyst)

Affected products

Product	Affected	Unaffected	Unknown
SolarEdge SE3680H	>= 4.0 to < 4.22 (semver)
SolarEdge SE3680H		everything else

CVSS

Base score	2.4 - LOW
Attack Vector	PHYSICAL
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	LOW	Subsequent systems	NONE
Integrity Impact
Vulnerable system	NONE	Subsequent systems	NONE
Availability Impact
Vulnerable system	NONE	Subsequent systems	NONE
Safety impact	NOT_DEFINED
Automatable	NO
Recovery	NOT_DEFINED
Value Density	DIFFUSE
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-36744 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2025-00022/ ( third-party-advisory )

Problem type(s)

CWE-1295: Debug Messages Revealing Unnecessary Information

Impact(s)

CAPEC-37 Retrieve Embedded Sensitive Data

Date published

Last modified

Description

SolarEdge SE3680H has unauthenticated disclosure of sensitive information during the bootloader loop. While the device repeatedly initializes and waits for boot instructions, the bootloader emits diagnostic output this behavior can leak operating system information.

JSON version.

DIVD CSIRT

CVE-2025-36744

SolarEdge SE3680H - Information Exposure during Bootloader Loop

Description