CVE-2025-29757
9.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/S:P/V:C
Summary
An incorrect authorisation check in the the 'plant transfer' function of the Growatt cloud service allowed a malicous attacker with a valid account to transfer any plant into his/her account.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Growatt | https://oss.growatt.com | 0 < 13 Jun 2025 | affected |
| Growatt | https://server.growatt.com | 0 < 13 June 2025 | affected |
Weaknesses
- CWE-863: CWE-863 Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://server.growatt.com
- https://oss.growatt.com
- https://csirt.divd.nl/CVE-2025-29757
- https://csirt.divd.nl/DIVD-2025-00011
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.