CVE-2025-31950 Growatt CVE debrief

Who should care

Operators, installers, and users of Growatt cloud portal-connected EV charging systems should pay attention, along with security teams responsible for cloud-connected energy or OT/IoT deployments.

Technical summary

The advisory describes a network-reachable information disclosure condition in the Growatt cloud portal. The provided CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, reflecting no authentication required, low attack complexity, and limited confidentiality impact only. The affected product listed in the CSAF advisory is Growatt cloud portal <=3.6.0.

Defensive priority

Medium. This is a privacy/confidentiality exposure rather than an integrity or availability issue, but it affects unauthenticated access to user energy-consumption data in a cloud service.

Recommended defensive actions

• Confirm whether any deployed Growatt cloud portal components are at or below version 3.6.0.
• Apply vendor-provided updates; the advisory states cloud-based vulnerabilities were patched and updates are automatic.
• Use strong passwords and enable multi-factor authentication where applicable.
• Review security settings regularly and report unusual activity.
• If you identify security concerns, contact Growatt at [email protected].

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-25-105-04 and its source JSON, which identify the issue as an unauthenticated ability to obtain other users’ EV charger energy consumption information. The advisory lists Growatt cloud portal <=3.6.0 as affected and includes vendor remediation guidance stating the cloud vulnerabilities were patched and no user action is needed. Published date used here is 2025-04-15, with a later advisory revision on 2025-05-06 for typos only.

Official resources