PatchSiren cyber security CVE debrief
CVE-2025-27939 Growatt CVE debrief
CVE-2025-27939 is a high-severity account-takeover issue in the Growatt cloud portal. The advisory says an attacker can change another user's registered email address and then take over arbitrary accounts. CISA's CSAF advisory identifies the affected product as Growatt cloud portal version 3.6.0 and earlier. Growatt states the cloud-based vulnerabilities were patched and that no user action is needed, while still recommending standard account-security precautions.
- Vendor
- Growatt
- Product
- Cloud portal
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-15
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-15
- Advisory updated
- 2025-05-06
Who should care
Organizations and individuals using the Growatt cloud portal, especially administrators, installers, support teams, and anyone responsible for account management, identity controls, or user monitoring. Security teams should pay attention to unauthorized email-change activity and account-recovery abuse.
Technical summary
The advisory describes an authentication and account-management weakness that allows a network-based attacker with no privileges and no user interaction to alter a victim's registered email address, leading to takeover of the victim's account. CISA lists the CVSS v3.1 vector as AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N with a score of 7.5. The affected product is listed as 'Growatt cloud portal: <=3.6.0'.
Defensive priority
High. The issue is remotely reachable, requires no privileges or user interaction, and can directly impact account integrity by enabling takeover.
Recommended defensive actions
- Confirm whether your environment uses Growatt cloud portal version 3.6.0 or earlier and review any vendor notifications tied to the patched cloud service.
- Treat unexpected account email changes, password-reset requests, or account-recovery events as suspicious and investigate immediately.
- Enable multi-factor authentication where applicable and use strong, unique passwords for portal accounts.
- Review account administration and audit logs for unauthorized changes to registered email addresses or profile data.
- Follow Growatt's guidance that cloud-based vulnerabilities were patched, and keep devices and related software on the latest available versions.
- Report security concerns to Growatt at [email protected].
- Apply CISA industrial control systems recommended practices and broader defense-in-depth guidance for account protection and monitoring.
Evidence notes
The source advisory states: 'An attacker can change registered email addresses of other users and take over arbitrary accounts.' The affected product is listed as 'Growatt cloud portal: <=3.6.0'. Growatt's remediation text says the cloud-based vulnerabilities were patched and no user action is needed, while also recommending strong passwords, MFA where applicable, and vigilance for unusual activity. The advisory was initially published on 2025-04-15 and later revised on 2025-05-06 for typo fixes only.
Official resources
-
CVE-2025-27939 CVE record
CVE.org
-
CVE-2025-27939 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2025-04-15 and issued a revision on 2025-05-06 that the source history says was for typo fixes. This debrief uses the CVE publication date as the issue date and does not treat the revision date as a new flaw.