Authorization Vulnerability in Growatt Cloud Service
CVE-2025-29757

9.4CRITICAL

Key Information:

Vendor

Growatt

Status
Https://oss.growatt.com
Https://server.growatt.com
Vendor
CVE Published:
19 July 2025

What is CVE-2025-29757?

An issue in the Growatt Cloud Service's 'plant transfer' function allows an attacker with valid account credentials to transfer ownership of any plant to their own account due to inadequate authorization checks. This vulnerability poses a significant security risk as it could lead to unauthorized control over users' assets.

Affected Version(s)

https://oss.growatt.com 0 < 13 Jun 2025

https://server.growatt.com 0 < 13 June 2025

References

https://server.growatt.com
product
https://oss.growatt.com
product
https://csirt.divd.nl/CVE-2025-29757
third-party-advisory

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Humza Ahmad
Frank Breedijk (DIVD)
JSON
.
CVE-2025-29757 : Authorization Vulnerability in Growatt Cloud Service