CVE-2025-30510

Growatt Cloud portal Insufficient Type Distinction

Assigner: icscert
Reserved: 01.04.2025 Published: 15.04.2025 Updated: 16.04.2025

An attacker can upload an arbitrary file instead of a plant image.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Growatt
Product	Cloud portal
Versions	Default: unaffected affected from 0 to 3.6.0 (excl.)

Vendor

Growatt

Product

Cloud portal

Versions

Default: unaffected

affected from 0 to 3.6.0 (excl.)

Solutions

Growatt reports the cloud-based vulnerabilities were patched and no user action is needed. Additionally, Growatt strongly recommends that their users take proactive steps in securing their devices and take the following actions:

Update all devices to the latest firmware version when available. (Updates are automatic, no user action needed.)
Use strong passwords and enable multi-factor authentication where applicable.
Report any security concerns to Service@Growatt.com.
Stay vigilant. Users and installers should regularly review security settings, follow best practices, and report any unusual activity.

Credits

Forescout Technologies reported these vulnerabilities to CISA. finder

References

Problem Types

CWE-351 Insufficient Type Distinction CWE