CVE-2025-36754— Authentication bypass on web interface
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-36754
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authentication bypass on web interface
Source: NVD (National Vulnerability Database)
Vulnerability Description
The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an arbitrary address for domain name resolution to e.g. facililitate a man-in-the-middle (MitM) attack.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用欺骗进行的认证绕过
Source: NVD (National Vulnerability Database)
Vulnerability Title
Growatt ShineLan-X 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Growatt ShineLan-X是中国古瑞瓦特(Growatt)公司的一款光伏逆变器的数据记录器。 Growatt ShineLan-X存在安全漏洞,该漏洞源于Web界面认证机制实现不当,可能导致绕过认证检查并执行中间人攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Growatt | ShineLan-X | 3.6.0.0 ~ 3.6.0.2 | - |
II. Public POCs for CVE-2025-36754
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-36754
请登录查看更多情报信息。
- https://csirt.divd.nl/CVE-2025-36754/third-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-36754
Same Patch Batch · Growatt · 2025-12-13 · 7 CVEs total
| CVE-2025-36750 | Stored cross site scripting (XSS) vulnerability in Growatt ShineLan-X | |
| CVE-2025-36751 | Missing encryption on Local Configuration Interface or Cloud Endpoint Communication - Grow | |
| CVE-2025-36747 | Hardcoded FTP Credentials within the firmware | |
| CVE-2025-36748 | Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X | |
| CVE-2025-36753 | SWD Interface Open on Growatt ShineLan-X | |
| CVE-2025-36752 | Undocumented backup Account and No Password Configuration Capability |
IV. Related Vulnerabilities
Same product: ShineLan-X
- CVE-2025-36747
Hardcoded FTP Credentials within the firmware - CVE-2025-36752
Undocumented backup Account and No Password Configuration Ca - CVE-2025-36748
Stored Cross-Site Scripting (XSS) vulnerability in Growatt S - CVE-2025-36750
Stored cross site scripting (XSS) vulnerability in Growatt S - CVE-2025-36753
SWD Interface Open on Growatt ShineLan-X
Same vendor: Growatt
- CVE-2025-36747
Hardcoded FTP Credentials within the firmware - CVE-2025-36752
Undocumented backup Account and No Password Configuration Ca - CVE-2025-36748
Stored Cross-Site Scripting (XSS) vulnerability in Growatt S - CVE-2025-36750
Stored cross site scripting (XSS) vulnerability in Growatt S - CVE-2025-36753
SWD Interface Open on Growatt ShineLan-X
Same weakness: CWE-290
- CVE-2021-47923
OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie - CVE-2026-42354
Sentry: Improper authentication on SAML SSO process allows u - CVE-2026-44118
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Tok - CVE-2026-39858
Traefik: Forwarded alias spoofing top pre-auth decision bypa - CVE-2018-25318
Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Cha
V. Comments for CVE-2025-36754
No comments yet