CVE-2025-36752

Undocumented backup Account and No Password Configuration Capability

CVE

CVE-2025-36752

Title

Undocumented backup Account and No Password Configuration Capability

Credits

Alexandros Tokatlis (finder)
Victor Pasman (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Growatt ShineLan-X	>= 3.6.0.0 to < 3.6.0.2 (semver)
Growatt ShineLan-X		everything else

CVSS

Base score	9.4 - CRITICAL
Attack Vector	ADJACENT
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Availability Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Safety impact	PRESENT
Automatable	NOT_DEFINED
Recovery	NOT_DEFINED
Value Density	NOT_DEFINED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-36752/ ( third-party-advisory )

Problem type(s)

CWE-798 Use of Hard-coded Credentials

Impact(s)

CAPEC-233 Privilege Escalation

Date published

Last modified

Description

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.

JSON version.

DIVD CSIRT

CVE-2025-36752

Undocumented backup Account and No Password Configuration Capability

Description