CVE-2025-30511 Growatt CVE debrief

Who should care

Organizations and installers using the Growatt cloud portal, administrators responsible for user access and plant record management, and security teams monitoring web applications that accept authenticated user input should care most.

Technical summary

This is a stored XSS condition in the Growatt cloud portal. An authenticated user can supply unsanitized content through the plant name field during plant creation or editing, and that content may later render in another user's browser. The supplied advisory lists Growatt cloud portal version <=3.6.0 as affected and provides CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High. The published severity is 8.8 (HIGH), the attack requires only authenticated access, and the issue affects a cloud portal workflow that can expose other users to stored XSS. There is no KEV listing in the supplied data, but the issue still warrants prompt verification and remediation.

Recommended defensive actions

• Confirm whether any environment is using Growatt cloud portal version <=3.6.0 and apply the vendor's patched cloud version or automatic update path.
• Restrict who can add or edit plant records to the minimum necessary set of users.
• Use strong passwords and enable multi-factor authentication where applicable, as recommended by the vendor.
• Verify that user-supplied fields are properly sanitized and output-encoded in all affected views.
• Monitor for unusual activity in accounts that can add or edit plant records and report concerns to [email protected].

Evidence notes

This debrief is based on the supplied CISA CSAF advisory ICSA-25-105-04 and the referenced CVE record. The advisory was published on 2025-04-15 and revised on 2025-05-06; the revision history states the update was for typo fixes only. The vendor remediation text says the cloud-based vulnerabilities were patched and no user action is needed.

Official resources