CVE-2025-36751— Missing encryption on Local Configuration Interface or Cloud Endpoint Communication - Growatt MIC3300TL-X and ShineLan-X
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-36751
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Missing encryption on Local Configuration Interface or Cloud Endpoint Communication - Growatt MIC3300TL-X and ShineLan-X
Source: NVD (National Vulnerability Database)
Vulnerability Description
Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
敏感数据加密缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Growatt ShineLan-X 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Growatt ShineLan-X是中国古瑞瓦特(Growatt)公司的一款光伏逆变器的数据记录器。 Growatt ShineLan-X存在安全漏洞,该漏洞源于配置接口缺少加密,可能导致拦截和操纵通信请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Growatt | ShineLan-X | 3.6.0.0 ~ 3.6.0.2 | - |
II. Public POCs for CVE-2025-36751
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-36751
Please Login to view more intelligence information
- https://csirt.divd.nl/CVE-2025-36751/third-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-36751
Same Patch Batch · Growatt · 2025-12-13 · 7 CVEs total
| CVE-2025-36750 | Stored cross site scripting (XSS) vulnerability in Growatt ShineLan-X | |
| CVE-2025-36747 | Hardcoded FTP Credentials within the firmware | |
| CVE-2025-36754 | Authentication bypass on web interface | |
| CVE-2025-36748 | Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X | |
| CVE-2025-36753 | SWD Interface Open on Growatt ShineLan-X | |
| CVE-2025-36752 | Undocumented backup Account and No Password Configuration Capability |
IV. Related Vulnerabilities
Same product: ShineLan-X
- CVE-2025-36747
Hardcoded FTP Credentials within the firmware - CVE-2025-36752
Undocumented backup Account and No Password Configuration Ca - CVE-2025-36754
Authentication bypass on web interface - CVE-2025-36748
Stored Cross-Site Scripting (XSS) vulnerability in Growatt S - CVE-2025-36750
Stored cross site scripting (XSS) vulnerability in Growatt S
Same vendor: Growatt
- CVE-2025-36747
Hardcoded FTP Credentials within the firmware - CVE-2025-36752
Undocumented backup Account and No Password Configuration Ca - CVE-2025-36748
Stored Cross-Site Scripting (XSS) vulnerability in Growatt S - CVE-2025-36754
Authentication bypass on web interface - CVE-2025-36750
Stored cross site scripting (XSS) vulnerability in Growatt S
Same weakness: CWE-311
- CVE-2026-34486
Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of Encr - CVE-2026-34992
Missing Encryption of Sensitive Data in antrea.io/antrea - CVE-2026-28678
dsa-hub-server: Clear-Text Storage of Sensitive Data - CVE-2026-27944
Nginx UI: Unauthenticated Backup Download with Encryption Ke - CVE-2025-15548
Missing Application-Layer Encryption in Web Interface Endpoi
V. Comments for CVE-2025-36751
No comments yet