CVE-2025-30514 Growatt CVE debrief

Who should care

Anyone using or administering Growatt cloud portal-managed smart devices should care, especially site owners, installers, and account administrators who rely on the portal to manage collections (“scenes”) and device settings.

Technical summary

CISA’s CSAF advisory for Growatt Cloud Applications lists Growatt cloud portal <=3.6.0 as affected. The issue is described as an unauthenticated, network-accessible disclosure of restricted information about a user’s smart device collections (“scenes”). The advisory metadata assigns CVSS v3.1 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating low confidentiality impact and no integrity or availability impact. The advisory also states the cloud-based vulnerabilities were patched and that updates are automatic, with no user action needed.

Defensive priority

Medium

Recommended defensive actions

• Confirm you are using the latest Growatt cloud portal and device firmware available through normal update channels.
• Enable strong passwords for Growatt accounts and any associated administrative access.
• Enable multi-factor authentication where applicable.
• Review account activity and device access for anything unusual.
• Report security concerns to [email protected].
• Follow Growatt and CISA security guidance for ongoing hardening and monitoring.

Evidence notes

Primary facts come from CISA’s CSAF advisory ICSA-25-105-04 (Growatt Cloud Applications), published on 2025-04-15 and modified on 2025-05-06. The source corpus identifies Growatt cloud portal <=3.6.0 as affected, describes the unauthenticated disclosure of restricted scene information, and includes the CVSS v3.1 vector and remediation statements. The 2025-05-06 modification is recorded as a revision for typo fixes only.

Official resources