CVE-2025-36752
📋 TL;DR
The Growatt ShineLan-X communication dongle contains an undocumented backup account with hardcoded credentials, creating a backdoor that allows attackers to access the device's Setting Center with significant privileges. This affects all devices using this specific dongle model, primarily industrial and commercial solar monitoring systems. Attackers can exploit this to gain unauthorized control over affected systems.
💻 Affected Systems
- Growatt ShineLan-X communication dongle
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of connected solar monitoring systems allowing attackers to manipulate power generation data, disrupt operations, or pivot to internal networks.
Likely Case
Unauthorized access to device settings allowing configuration changes, data exfiltration, or service disruption.
If Mitigated
Limited impact if devices are behind firewalls with strict network segmentation and access controls.
🎯 Exploit Status
Exploitation requires only knowledge of the undocumented credentials, which are likely to be discovered through reverse engineering or leaked.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://csirt.divd.nl/CVE-2025-36752/
Restart Required: Yes
Instructions:
1. Monitor Growatt vendor communications for firmware updates. 2. Apply any available firmware patches immediately. 3. Verify the backup account has been removed or credentials changed.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Growatt ShineLan-X devices on separate network segments with strict firewall rules.
Access Control Lists
allImplement network ACLs to restrict access to dongle management interfaces to authorized IPs only.
🧯 If You Can't Patch
- Physically disconnect devices from networks when not required for operation
- Implement strict monitoring for unauthorized access attempts to device interfaces
🔍 How to Verify
Check if Vulnerable:
Attempt to authenticate to the device using the undocumented backup credentials (if known through research). Check device logs for unauthorized access attempts.Check Version:
Check device web interface or serial console for firmware version informationVerify Fix Applied:
Verify firmware version against vendor patched version. Attempt authentication with backup credentials should fail.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login from backup account
- Configuration changes from unknown source IPs
Network Indicators:
- Unexpected traffic to device management ports (typically 80, 443, or proprietary ports)
- Authentication attempts using the backup account credentials
SIEM Query:
source_ip=* AND destination_port IN (80,443,<device_port>) AND (event_type="authentication_success" OR event_type="configuration_change")