CVE-2025-36752
Last modified
CVE-2025-36752 is a critical-severity vulnerability rated 9.4/10 on the CVSS scale. Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Growatt | Shine Lan-X Firmware | >= 3.6.0.0, < 3.6.0.2 |
References
- https://csirt.divd.nl/CVE-2025-36752/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-36752?
How severe is CVE-2025-36752?
How do I fix CVE-2025-36752?
Are you affected by CVE-2025-36752?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST