PatchSiren cyber security CVE debrief
CVE-2025-30254 Growatt CVE debrief
CVE-2025-30254 is a medium-severity information disclosure issue in Growatt's cloud portal. According to the CISA advisory, an unauthenticated attacker can obtain the serial number of a smart meter by using the owner's username. Growatt states the cloud-based vulnerabilities were patched and that no user action is needed, while also recommending standard account-hygiene steps for users and installers.
- Vendor
- Growatt
- Product
- Cloud portal
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-15
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-15
- Advisory updated
- 2025-05-06
Who should care
Organizations and individuals using Growatt cloud portal deployments, especially administrators, installers, and asset owners responsible for smart meters connected to the Growatt cloud service. Security teams should also care because the flaw is reachable without authentication and exposes device-identifying information.
Technical summary
The advisory identifies a vulnerability in Growatt cloud portal versions <= 3.6.0. The issue allows an unauthenticated actor to retrieve a smart meter serial number when they know the owner's username. The published CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects network reachability, no required privileges, and limited confidentiality impact with no integrity or availability impact.
Defensive priority
Medium. The issue is externally reachable and does not require authentication, but the disclosed impact is limited to information exposure and the vendor reports the cloud vulnerabilities have already been patched. Prioritize review of any environments still relying on older portal versions or where account hygiene and access monitoring are weak.
Recommended defensive actions
- Verify that Growatt cloud portal components are updated to the latest available version; Growatt states updates are automatic and no user action is needed.
- Use strong, unique passwords for cloud accounts and enable multi-factor authentication where applicable.
- Review account and device access settings for unexpected changes or unfamiliar usernames.
- Monitor for unusual activity involving smart meter records or cloud portal access.
- Report security concerns to Growatt at [email protected].
- Follow CISA recommended practices for industrial control systems and general defense-in-depth guidance.
Evidence notes
This debrief is based on the CISA CSAF advisory titled "Growatt Cloud Applications" (ICSA-25-105-04), published 2025-04-15 and revised 2025-05-06 for typo fixes. The advisory lists Growatt cloud portal <= 3.6.0 as affected and states that an unauthenticated attacker can obtain a smart meter serial number using the owner's username. The advisory also states the cloud vulnerabilities were patched and no user action is needed.
Official resources
-
CVE-2025-30254 CVE record
CVE.org
-
CVE-2025-30254 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2025-04-15 and later revised it on 2025-05-06 with typo fixes. The vulnerability is documented as already patched by Growatt in the cloud service.