CVE-2025-36752

EPSS 0.29%
Veröffentlicht 13.12.2025 08:16:25
Zuletzt bearbeitet 14.01.2026 18:05:00
Quelle csirt@divd.nl
CVE-Watchlists
Login
Unerledigt
Login

Undocumented backup Account and No Password Configuration Capability

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Growatt ≫ Shine Lan-x Firmware Version >= 3.6.0.0 < 3.6.0.2

Growatt ≫ Shine Lan-x Version-

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.2

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
csirt@divd.nl	9.4	0	0	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://csirt.divd.nl/CVE-2025-36752/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-36752

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-36752

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-36752

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-36752