CVE-2025-25276 Growatt CVE debrief

Who should care

Owners and operators of Growatt cloud portal deployments, plus users and installers who manage connected devices or accounts, should review account security and monitor for unusual device activity.

Technical summary

CISA classifies the issue as CVSS 3.1 5.3 MEDIUM with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. That means the attack is network-reachable, requires no privileges, and needs no user interaction. The advisory description is limited but explicitly states that an unauthenticated attacker can hijack other users’ devices and potentially control them. The supplied advisory does not add further exploitation details beyond the affected product scope and remediation guidance.

Defensive priority

Medium — prioritize because the issue is unauthenticated and does not require user interaction, even though the published CVSS impact is limited to integrity.

Recommended defensive actions

• Confirm whether any devices or services use Growatt cloud portal version 3.6.0 or earlier.
• Apply Growatt updates as provided; the advisory says the cloud-based vulnerabilities were patched and updates are automatic when available.
• Use strong passwords and enable multi-factor authentication where applicable.
• Review security settings regularly and watch for unusual device or account activity.
• Report security concerns to [email protected].

Evidence notes

Primary evidence comes from CISA’s CSAF advisory ICSA-25-105-04, published 2025-04-15 and revised 2025-05-06 for typo fixes. The advisory lists Growatt cloud portal <=3.6.0 as affected and states that an unauthenticated attacker can hijack other users’ devices and potentially control them. The remediation section says the cloud-based vulnerabilities were patched, updates are automatic when available, and users should use strong passwords, enable MFA where applicable, and review security settings. No KEV entry is provided in the supplied corpus.

Official resources