growatt 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact session compromise などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-36753 | The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device | [email protected] | 8.6 | 0.06% | 2025-12-13 | 2026-01-14 |
| CVE-2025-36752 | Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle. | [email protected] | 9.4 | 0.05% | 2025-12-13 | 2026-01-14 |
| CVE-2025-36750 | ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code. | [email protected] | 8.5 | 0.02% | 2025-12-13 | 2026-01-14 |
| CVE-2025-36748 | ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code. | [email protected] | 8.4 | 0.02% | 2025-12-13 | 2026-01-14 |
| CVE-2025-36747 | ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced. | [email protected] | 9.4 | 0.06% | 2025-12-13 | 2026-01-14 |
| CVE-2025-31950 | An unauthenticated attacker can obtain EV charger energy consumption information of other users. | [email protected] | 6.9 | 0.58% | 2025-04-15 | 2025-11-12 |
| CVE-2025-31945 | An unauthenticated attacker can obtain other users' charger information. | [email protected] | 6.9 | 0.61% | 2025-04-15 | 2025-11-12 |
| CVE-2025-31654 | An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | [email protected] | 6.9 | 0.48% | 2025-04-15 | 2025-11-12 |
| CVE-2025-31360 | Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | [email protected] | 6.9 | 0.73% | 2025-04-15 | 2025-11-12 |
| CVE-2025-31147 | Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | [email protected] | 6.9 | 0.58% | 2025-04-15 | 2025-11-14 |
| CVE-2025-30512 | Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off). | [email protected] | 6.9 | 0.36% | 2025-04-15 | 2025-11-14 |
| CVE-2025-30510 | An attacker can upload an arbitrary file instead of a plant image. | [email protected] | 9.3 | 0.40% | 2025-04-15 | 2025-11-14 |
| CVE-2025-30257 | Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | [email protected] | 6.9 | 0.58% | 2025-04-15 | 2025-11-14 |
| CVE-2025-27929 | Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | [email protected] | 6.9 | 0.58% | 2025-04-15 | 2025-11-14 |
| CVE-2025-27927 | An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | [email protected] | 6.9 | 0.58% | 2025-04-15 | 2025-11-14 |
| CVE-2025-27719 | Unauthenticated attackers can query an API endpoint and get device details. | [email protected] | 6.9 | 1.08% | 2025-04-15 | 2025-11-14 |
| CVE-2025-27575 | An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | [email protected] | 6.9 | 0.58% | 2025-04-15 | 2025-11-14 |
| CVE-2025-27565 | An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | [email protected] | 6.9 | 0.90% | 2025-04-15 | 2025-11-14 |
| CVE-2025-27561 | Unauthenticated attackers can rename "rooms" of arbitrary users. | [email protected] | 6.9 | 0.90% | 2025-04-15 | 2025-11-14 |
| CVE-2025-26857 | Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). | [email protected] | 6.9 | 0.42% | 2025-04-15 | 2025-11-14 |