CVE-2025-36753

SWD Interface Open on Growatt ShineLan-X

CVE

CVE-2025-36753

Title

SWD Interface Open on Growatt ShineLan-X

Credits

Hamid Rahmouni (finder)
Victor Pasman (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Growatt ShineLan-X	>= 3.6.0.0 to < 3.6.0.2 (semver)
Growatt ShineLan-X		everything else

CVSS

Base score	8.6 - HIGH
Attack Vector	PHYSICAL
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Availability Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Safety impact	NOT_DEFINED
Automatable	NOT_DEFINED
Recovery	NOT_DEFINED
Value Density	NOT_DEFINED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-36753/ ( third-party-advisory )

Problem type(s)

CWE-290 Authentication Bypass by Spoofing

Impact(s)

CAPEC-233 Privilege Escalation

Date published

Last modified

Description

The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device.

JSON version.

DIVD CSIRT

CVE-2025-36753

SWD Interface Open on Growatt ShineLan-X

Description