CVE-2025-30257 Growatt CVE debrief

Who should care

Organizations and individuals using Growatt cloud portal to manage smart meters should care, especially installers, operators, and administrators responsible for account security and device inventory.

Technical summary

CISA's CSAF advisory for ICSA-25-105-04 identifies Growatt cloud portal version <=3.6.0 as affected. The issue allows network-based, unauthenticated access to smart meter serial numbers associated with a user account. The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, consistent with low confidentiality impact and no integrity or availability impact.

Defensive priority

Moderate. The vulnerability is externally reachable and requires no authentication, but the disclosed data is limited to serial numbers and the vendor reports the cloud-side issue was patched. Prioritize verification of exposure, vendor update status, and account protections.

Recommended defensive actions

• Confirm whether any environments used Growatt cloud portal version 3.6.0 or earlier.
• Verify that the vendor's cloud-side fix is in place and note that Growatt states no user action is needed.
• Use strong passwords and enable multi-factor authentication where applicable.
• Review account access and device inventories for unexpected changes or unusual activity.
• Report security concerns to [email protected] as advised by the vendor.

Evidence notes

All facts are taken from CISA's CSAF advisory ICSA-25-105-04 and the linked official references. The advisory was first published on 2025-04-15 and revised on 2025-05-06 for typo fixes only. The source states the affected product is Growatt cloud portal <=3.6.0, the issue is unauthenticated serial-number disclosure, and Growatt reports the cloud vulnerabilities were patched. No KEV entry was supplied.

Official resources