CVE-2025-36747

Hardcoded FTP Credentials within the firmware

CVE

CVE-2025-36747

Title

Hardcoded FTP Credentials within the firmware

Credits

Hamid Rahmouni (finder)
Victor Pasman (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Growatt ShineLan-X	>= 3.6.0.0 to < 3.6.0.2 (semver)
Growatt ShineLan-X		everything else

CVSS

Base score	9.4 - CRITICAL
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Availability Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Safety impact	PRESENT
Automatable	NOT_DEFINED
Recovery	NOT_DEFINED
Value Density	NOT_DEFINED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-36747/ ( third-party-advisory )

Problem type(s)

CWE-798 Use of Hard-coded Credentials

Impact(s)

CAPEC-233 Privilege Escalation

Date published

Last modified

Description

ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.

JSON version.

DIVD CSIRT

CVE-2025-36747

Hardcoded FTP Credentials within the firmware

Description