Hardcoded FTP Credentials within the firmware_CVE-2025-36747

9.4 / 10

CRITICAL

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.

Basic Information

ID CVE-2025-36747

Source DIVD

Published Dec 13, 2025 at 08:16

Affected Product

Vendor Growatt

Product ShineLan-X

Version 3.6.0.0

Affected Versions Growatt ShineLan-X 3.6.0.0

CWE Classification

CWE-798

References

csirt.divd.nl /CVE-2025-36747/

{
    "lastseen": "",
    "description": "ShineLan-X contains\u00a0a set of credentials for an FTP server was found within the firmware, allowing\u00a0testers to establish an insecure FTP connection with the server.\u00a0This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the\u00a0firmware signature verification is not enforced.",
    "published": "2025-12-13T08:16:25.804Z",
    "modified": "2025-12-13T08:16:25.804Z",
    "type": "cve",
    "title": "Hardcoded FTP Credentials within the firmware",
    "source": "DIVD",
    "references": "https://csirt.divd.nl/CVE-2025-36747/",
    "id": "CVE-2025-36747",
    "bulletinFamily": "",
    "cwe": [
        "CWE-798"
    ],
    "cvelist": null,
    "sourceData": "Growatt ShineLan-X 3.6.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ShineLan-X",
    "version": "3.6.0.0",
    "vendor": "Growatt",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}