PatchSiren cyber security CVE debrief
CVE-2025-31949 Growatt CVE debrief
CVE-2025-31949 is a medium-severity information disclosure issue in Growatt cloud portal deployments. According to CISA’s advisory, an authenticated attacker who knows a plant ID can obtain the corresponding plant name. The advisory was published on 2025-04-15 and later revised on 2025-05-06 for typo fixes, with no change to the core issue description. The affected product listed in the source is Growatt cloud portal version 3.6.0 and earlier. Growatt states the cloud-based vulnerabilities were patched and that no user action is needed, while also recommending standard account-hardening and monitoring steps.
- Vendor
- Growatt
- Product
- Cloud portal
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-15
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-15
- Advisory updated
- 2025-05-06
Who should care
Operators and administrators using Growatt cloud portal, especially environments that manage plant identifiers or expose portal access to authenticated users. Security teams responsible for OT/ICS-adjacent cloud services should also review account controls and access logging.
Technical summary
The source advisory describes a confidentiality-only issue: an authenticated attacker can retrieve a plant name by knowing a plant ID. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, matching a network-reachable issue with low confidentiality impact and no stated integrity or availability impact. The affected product entry in the CSAF data is "Growatt Growatt cloud portal: <=3.6.0."
Defensive priority
Moderate. This is not a KEV-listed issue in the supplied corpus and the reported impact is limited to low confidentiality exposure, but it still warrants review because it affects a cloud portal used for device/plant management.
Recommended defensive actions
- Confirm whether any environments use Growatt cloud portal version 3.6.0 or earlier.
- Apply vendor updates or verify that the cloud-side patch has been received, since Growatt states the cloud vulnerabilities were patched and no user action is needed.
- Enforce strong passwords and enable multi-factor authentication where applicable.
- Review portal access logs for unusual authenticated lookups or abnormal plant-ID enumeration patterns.
- Follow Growatt’s reporting path for security concerns ([email protected]).
- Use CISA industrial control systems best practices and recommended practices for account security and defense-in-depth.
Evidence notes
The source corpus explicitly states: "An authenticated attacker can obtain any plant name by knowing the plant ID." It also lists the affected product as "Growatt Growatt cloud portal: <=3.6.0" and includes Growatt’s remediation note that the cloud-based vulnerabilities were patched and no user action is needed. The advisory publication date is 2025-04-15 and the only later revision recorded is 2025-05-06 for typo fixes.
Official resources
-
CVE-2025-31949 CVE record
CVE.org
-
CVE-2025-31949 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2025-04-15 and later revised it on 2025-05-06 to fix typos. The advisory identifies Growatt cloud portal as affected and states the cloud-based vulnerabilities were patched.