Backdoor Access in Growatt ShineLan-X Communication Dongle
CVE-2025-36752

9.4CRITICAL

Key Information:

Vendor: Growatt
Status: Shinelan-x
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-36752?

The Growatt ShineLan-X communication dongle contains a hidden backup account with undocumented credentials, granting significant access to its settings. This flaw allows unauthorized users to exploit the device as a backdoor, compromising security for all connected systems. The undocumented nature of the account poses a serious risk, highlighting the need for robust authentication measures in products utilizing this firmware.

Affected Version(s)

ShineLan-X 3.6.0.0 <= 3.6.0.2

References

https://csirt.divd.nl/CVE-2025-36752/

third-party-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Alexandros Tokatlis

Victor Pasman

JSON