Web Interface Authentication Bypass in Affected Devices by Vendor
CVE-2025-36754

9.3CRITICAL

Key Information:

Vendor: Growatt
Status: Shinelan-x
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-36754?

The security flaw in the web interface allows for improper implementation of the authentication mechanism. Attackers can exploit this vulnerability by crafting a post request with altered settings, facilitating unauthorized access. Without session tokens or adequate authentication in place, malicious actors could redirect the device to arbitrary addresses, potentially enabling man-in-the-middle (MitM) attacks that compromise data integrity and privacy.

Affected Version(s)

ShineLan-X 3.6.0.0 <= 3.6.0.2

References

https://csirt.divd.nl/CVE-2025-36754/

third-party-advisory

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Hamid Rahmouni

Victor Pasman

JSON