CVE-2025-31147 Growatt CVE debrief

Who should care

Operators, administrators, and users of Growatt cloud portal deployments for EV charging should care, especially teams responsible for monitoring customer usage data, account access, and cloud-connected charging infrastructure.

Technical summary

The issue is an information disclosure condition in the Growatt cloud portal: unauthenticated remote access can be used to retrieve total-energy-consumption information for EV chargers tied to arbitrary users. The advisory identifies affected products as Growatt cloud portal versions <=3.6.0. The published CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating a network-reachable issue with low confidentiality impact and no integrity or availability impact.

Defensive priority

Medium. The exposure is externally reachable and requires no authentication, but the disclosed data is limited to confidentiality impact. Treat it as a priority for cloud portal operators handling user charging data, and verify patch status promptly.

Recommended defensive actions

• Verify that all Growatt cloud portal instances are running the fixed version or the latest available update path.
• Confirm whether any connected devices or cloud services still report as affected by versions <=3.6.0.
• Review access controls and monitoring for unusual queries or data access patterns involving charging-usage information.
• Use strong passwords and enable multi-factor authentication where applicable, as recommended in the advisory.
• Follow Growatt’s guidance to stay vigilant and review security settings regularly.
• Report security concerns to [email protected] if suspicious activity or exposure is identified.

Evidence notes

All substantive claims here are taken from the CISA CSAF advisory for ICSA-25-105-04/CVE-2025-31147 and its revision history. The published date used is 2025-04-15, and the 2025-05-06 modification is described by CISA as typo fixes only.

Official resources