Growatt Cloud Applications
Act Now9.8ICS-CERT ICSA-25-105-04Apr 15, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in the Growatt cloud portal (version 3.6.0 and earlier) allow an unauthenticated attacker to perform cross-site scripting (CWE-79), achieve code execution, and bypass authorization controls (CWE-639, CWE-351, CWE-15). These vulnerabilities could lead to compromise of confidentiality and integrity of solar system configurations and operational data. Growatt has patched these vulnerabilities on their cloud platform; however, no user action is strictly required as Growatt controls the cloud infrastructure. Growatt firmware updates for solar inverters are pushed automatically.
What this means
What could happen
An attacker could compromise the Growatt cloud portal to steal operational data from solar installations, manipulate inverter settings, or disrupt service availability. If an attacker gains code execution on the platform, they could affect multiple solar energy systems simultaneously.
Who's at risk
Solar energy system operators, facility managers, and solar installation companies that use Growatt cloud-based monitoring and control systems. This affects organizations managing Growatt inverters and battery storage systems that depend on the cloud portal for real-time monitoring, firmware updates, and operational control.
How it could be exploited
An attacker on the internet could send a specially crafted request to the Growatt cloud portal (reachable from your network) to inject scripts into the web application or execute arbitrary code. The lack of required credentials means any unauthenticated attacker can attempt exploitation. If successful, the attacker gains access to the portal and could read or modify configuration data, perform account takeover via XSS, or execute commands on the backend system.
Prerequisites
- Network access to the Growatt cloud portal from the internet
- No valid credentials required
Remotely exploitable from the internetNo authentication required for exploitationLow attack complexityHigh severity CVSS (9.8)Affects cloud-based operational visibility and control of distributed solar assetsPotential for cross-site scripting (XSS) and arbitrary code execution
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
Growatt cloud portal: <=3.6.0≤ 3.6.0Fix available
Remediation & Mitigation
0/5
Do now
0/2HOTFIXGrowatt has reportedly patched the vulnerabilities on their cloud platform; verify your portal access is on the latest version and monitor for any confirmation from Growatt
HARDENINGEnable multi-factor authentication on all Growatt portal accounts
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXEnsure all Growatt inverter devices are set to auto-update firmware and verify they are on the latest available version
Long-term hardening
0/2HARDENINGRestrict direct internet access to the Growatt cloud portal; require employees and installers to access it only through a VPN and keep VPN software current
HARDENINGSegment your network so that solar monitoring devices and inverters do not have direct communication with your main business network
CVEs (30)
CVE-2025-31933CVE-2025-31949CVE-2025-31357CVE-2025-31941CVE-2025-24487CVE-2025-27568CVE-2025-30254CVE-2025-30514CVE-2025-31654CVE-2025-26857CVE-2025-27575CVE-2025-27565CVE-2025-25276CVE-2025-24850CVE-2025-30511CVE-2025-27939CVE-2025-27938CVE-2025-27719CVE-2025-31945CVE-2025-31950CVE-2025-30510CVE-2025-24297CVE-2025-27927CVE-2025-30512CVE-2025-31360CVE-2025-31147CVE-2025-30257CVE-2025-27561CVE-2025-24315CVE-2025-27929
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6953a594-4d38-4ea5-8d80-c1427ca6540f