CVE-2025-36751

Missing encryption on Local Configuration Interface or Cloud Endpoint Communication - Growatt MIC3300TL-X and ShineLan-X

CVE

CVE-2025-36751

Title

Missing encryption on Local Configuration Interface or Cloud Endpoint Communication - Growatt MIC3300TL-X and ShineLan-X

Credits

Alexandros Tokatlis (finder)
Victor Pasman (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Growatt ShineLan-X	>= 3.6.0.0 to < 3.6.0.2 (semver)
Growatt ShineLan-X		everything else

CVSS

Base score	9.4 - CRITICAL
Attack Vector	ADJACENT
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Availability Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Safety impact	PRESENT
Automatable	NOT_DEFINED
Recovery	NOT_DEFINED
Value Density	NOT_DEFINED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-36751/ ( third-party-advisory )

Problem type(s)

CWE-311 Missing Encryption of Sensitive Data

Impact(s)

CAPEC-176 Configuration/Environment Manipulation

Date published

Last modified

Description

Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint.

JSON version.

DIVD CSIRT

CVE-2025-36751

Missing encryption on Local Configuration Interface or Cloud Endpoint Communication - Growatt MIC3300TL-X and ShineLan-X

Description