CVE-2025-36754

Authentication bypass on web interface

CVE

CVE-2025-36754

Title

Authentication bypass on web interface

Credits

Hamid Rahmouni (finder)
Victor Pasman (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Growatt ShineLan-X	>= 3.6.0.0 to < 3.6.0.2 (semver)
Growatt ShineLan-X		everything else

CVSS

Base score	9.3 - CRITICAL
Attack Vector	LOCAL
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	LOW
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Availability Impact
Vulnerable system	LOW	Subsequent systems	HIGH
Safety impact	NOT_DEFINED
Automatable	NOT_DEFINED
Recovery	NOT_DEFINED
Value Density	NOT_DEFINED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-36754/ ( third-party-advisory )

Problem type(s)

CWE-290 Authentication Bypass by Spoofing

Impact(s)

CAPEC-233 Privilege Escalation

Date published

Last modified

Description

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an arbitrary address for domain name resolution to e.g. facililitate a man-in-the-middle (MitM) attack.

JSON version.

DIVD CSIRT

CVE-2025-36754

Authentication bypass on web interface

Description