Insecure FTP Credentials in ShineLan-X Device Firmware
CVE-2025-36747

9.4CRITICAL

Key Information:

Vendor: Growatt
Status: Shinelan-x
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-36747?

The ShineLan-X firmware contains hardcoded credentials for FTP access, which can be exploited by attackers to establish an insecure connection. This vulnerability allows malicious actors to replace legitimate firmware files with their own unauthorized versions, as the signature verification for firmware updates is not enforced. As such, vulnerable devices may inadvertently deploy compromised firmware, leading to potential system breaches and data loss.

Affected Version(s)

ShineLan-X 3.6.0.0 <= 3.6.0.2

References

https://csirt.divd.nl/CVE-2025-36747/

third-party-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Hamid Rahmouni

Victor Pasman

JSON

Growatt

What is CVE-2025-36747?

Affected Version(s)

References

CVSS V4

Timeline

Credit