Undocumented backup Account and No Password Configuration Capability_CVE-2025-36752

9.4 / 10

CRITICAL

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.

Basic Information

ID CVE-2025-36752

Source DIVD

Published Dec 13, 2025 at 08:16

Affected Product

Vendor Growatt

Product ShineLan-X

Version 3.6.0.0

Affected Versions Growatt ShineLan-X 3.6.0.0

CWE Classification

CWE-798

References

csirt.divd.nl /CVE-2025-36752/

{
    "lastseen": "",
    "description": "Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented\u00a0credentials\u00a0which\u00a0allows significant level access to the device, such as\u00a0allowing any attacker to access the Setting\u00a0Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.",
    "published": "2025-12-13T08:16:25.088Z",
    "modified": "2025-12-13T08:16:25.088Z",
    "type": "cve",
    "title": "Undocumented backup Account and No Password Configuration Capability",
    "source": "DIVD",
    "references": "https://csirt.divd.nl/CVE-2025-36752/",
    "id": "CVE-2025-36752",
    "bulletinFamily": "",
    "cwe": [
        "CWE-798"
    ],
    "cvelist": null,
    "sourceData": "Growatt ShineLan-X 3.6.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ShineLan-X",
    "version": "3.6.0.0",
    "vendor": "Growatt",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}