Authorization Vulnerability in Growatt Cloud Service
CVE-2025-29757

9.4CRITICAL

Key Information:

Vendor: Growatt
Status: Https://oss.growatt.com; Https://server.growatt.com
Vendor: CVE Published:; 19 July 2025

🔔 Create Growatt Vulnerability Alert

What is CVE-2025-29757?

An issue in the Growatt Cloud Service's 'plant transfer' function allows an attacker with valid account credentials to transfer ownership of any plant to their own account due to inadequate authorization checks. This vulnerability poses a significant security risk as it could lead to unauthorized control over users' assets.

Affected Version(s)

https://oss.growatt.com 0 < 13 Jun 2025

https://server.growatt.com 0 < 13 June 2025

References

https://server.growatt.com

https://oss.growatt.com

https://csirt.divd.nl/CVE-2025-29757

third-party-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 19, 2025
Vulnerability Reserved
Mar 11, 2025

Credit

Humza Ahmad

Frank Breedijk (DIVD)

.

CVE-2025-29757 : Authorization Vulnerability in Growatt Cloud Service