CVE-2025-36748 – ShineLan-X's local configuration web server has... (How to Fix)

Q: What is the severity of CVE-2025-36748?

CVE-2025-36748 has a CVSS score of 5.4 (MEDIUM). ShineLan-X's local configuration web server has a stored XSS vulnerability in the communication module settings center. Attackers can inject malicious JavaScript that executes in legitimate users' browsers. This affects all users of ShineLan-X with the vulnerable version.

📋 TL;DR

ShineLan-X's local configuration web server has a stored XSS vulnerability in the communication module settings center. Attackers can inject malicious JavaScript that executes in legitimate users' browsers. This affects all users of ShineLan-X with the vulnerable version.

💻 Affected Systems

Products:

ShineLan-X

Versions: Specific versions not detailed in reference; assume all versions prior to patch.

Operating Systems: Unknown - Likely cross-platform as it's a web server component

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the communication module's settings center of the local configuration web server.

📦 What is this software?

Shine Lan X Firmware by Growatt

View all CVEs affecting Shine Lan X Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the configuration interface.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented.

🌐 Internet-Facing: MEDIUM - The web server is typically local but could be exposed; exploitation requires user interaction.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to pivot within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to have access to inject JavaScript into the settings center, which typically requires some level of access or social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://csirt.divd.nl/CVE-2025-36748/

Restart Required: Yes

Instructions:

1. Monitor the vendor's website for security updates. 2. Apply the patch when available. 3. Restart the ShineLan-X service or system.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and output encoding for the communication module settings center.

Not applicable - requires code changes

Restrict Access

all

Limit access to the configuration web server to trusted IP addresses only.

Configure firewall rules to allow only specific IPs to access the web server port.

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules.
Disable the communication module if not essential and monitor for unauthorized changes.

🔍 How to Verify

Check if Vulnerable:

Check if JavaScript can be injected into the communication module settings center and persists across sessions.

Check Version:

Check the ShineLan-X version via its web interface or system documentation.

Verify Fix Applied:

Test that injected JavaScript is properly sanitized or blocked in the patched version.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript strings in configuration logs
Multiple failed login attempts followed by configuration changes

Network Indicators:

HTTP requests with suspicious JavaScript payloads to the configuration endpoint

SIEM Query:

source="shineLan-x.log" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2025-36748

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.5th percentile)

Published: December 13, 2025

Last Updated: January 14, 2026

🔗 References

https://csirt.divd.nl/CVE-2025-36748/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36748, you might also want to check these: