CVE-2025-26857 Growatt CVE debrief

Who should care

Growatt cloud portal users, installers, operators of EV chargers managed through the platform, and administrators responsible for monitoring device names and account activity.

Technical summary

The advisory describes an unauthenticated, network-reachable issue in the Growatt cloud portal affecting Growatt cloud portal: <=3.6.0. The stated impact is unauthorized renaming of devices owned by other users. The published CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating low confidentiality impact in the scoring record and no listed integrity or availability impact in the vector, despite the advisory’s device-renaming description.

Defensive priority

Moderate. The issue is remotely reachable and requires no authentication, but the advisory indicates vendor-side remediation has already been applied and no user action is needed for the cloud vulnerability itself.

Recommended defensive actions

• Confirm whether any managed devices are on the affected Growatt cloud portal version scope (<=3.6.0).
• Review device names and recent account activity for unexpected changes, especially for EV chargers.
• Use strong passwords and enable multi-factor authentication where available.
• Follow Growatt’s guidance and keep devices on the latest firmware when updates are available.
• Report suspicious activity or security concerns to [email protected].
• Monitor official CISA and Growatt advisories for any follow-up guidance.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-25-105-04, titled "Growatt Cloud Applications," published 2025-04-15 and revised 2025-05-06 for typo fixes. The advisory states that unauthenticated attackers can rename arbitrary devices of arbitrary users and identifies the affected product as Growatt cloud portal <=3.6.0. Growatt’s remediation notes state the cloud-based vulnerabilities were patched and no user action is needed.

Official resources