Growatt Cloud Applications

Plan PatchCVSS 9.8ICS-CERT ICSA-25-105-04Apr 15, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Growatt cloud portal versions 3.6.0 and earlier contain cross-site scripting (XSS), improper authorization (CWE-639), insecure cryptographic storage (CWE-351), and insufficient input validation (CWE-15) vulnerabilities. These flaws allow unauthenticated attackers to compromise confidentiality, inject malicious code, and execute arbitrary commands on the cloud platform and connected solar inverter devices. The vendor has patched the vulnerabilities server-side; the cloud portal is automatically updated. However, users should secure their accounts and limit network exposure.

What this means

What could happen

An attacker could exploit vulnerabilities in the Growatt cloud portal to steal sensitive data, inject malicious code into web interfaces, or execute arbitrary commands on connected solar inverter systems, potentially disrupting power generation or allowing unauthorized modification of inverter settings.

Who's at risk

This affects municipal electric utilities and solar facility operators who use Growatt cloud portal to manage and monitor distributed solar inverters. Solar farms, rooftop installations, and any renewable energy infrastructure relying on Growatt monitoring systems are in scope. Facility owners and system administrators who access the cloud portal to configure inverter setpoints, retrieve telemetry, or manage multiple sites should prioritize this.

How it could be exploited

An attacker with network access to the Growatt cloud portal could send malicious requests to exploit cross-site scripting (XSS) or code injection flaws. If an administrator or installer accesses a compromised portal session, the attacker could capture their credentials, execute commands on the backend system, or push malicious firmware to connected inverters. The vulnerability requires no authentication in some cases, making it exploitable to any internet-connected user.

Prerequisites

Network access to the Growatt cloud portal (internet-facing)
No authentication required for initial exploitation
Administrator/installer must access the portal for credential theft or device compromise

Remotely exploitableNo authentication requiredLow complexityHigh CVSS (9.8)Affects cloud management of critical energy generation assetsXSS and code injection allow credential theft and lateral movement

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (1)

ProductAffected VersionsFix Status

Growatt cloud portal: <=3.6.0≤ 3.6.0Fix available

Remediation & Mitigation

0/6

Do now

0/4

HOTFIXVerify Growatt cloud portal version is 3.6.1 or later; vendor states patch is deployed server-side and users do not need to take action

HARDENINGEnable multi-factor authentication (MFA) on all Growatt cloud portal user accounts

HARDENINGChange all Growatt portal passwords to strong, unique credentials

WORKAROUNDRestrict network access to the Growatt cloud portal by implementing IP-based firewall rules allowing only authorized administrative networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGFor remote administration, use a VPN to access the Growatt cloud portal instead of direct internet exposure

HOTFIXEnsure all connected Growatt inverters and devices have automatic firmware updates enabled

CVEs (30)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6953a594-4d38-4ea5-8d80-c1427ca6540f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.