Description
An incorrect authorisation check in the the 'plant transfer' function of the Growatt cloud service allowed a malicous attacker with a valid account to transfer any plant into his/her account.
References (4)
Core 4
Core References
Various Sources product
https://server.growatt.com
Various Sources product
https://oss.growatt.com
Various Sources third-party-advisory
https://csirt.divd.nl/CVE-2025-29757
Various Sources third-party-advisory
https://csirt.divd.nl/DIVD-2025-00011
Scores
CVSS v4
9.4
EPSS
0.0038
EPSS Percentile
29.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:C/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
Growatt/https://oss.growatt.com
< 13 Jun 2025
Growatt/https://server.growatt.com
< 13 June 2025
Published
Jul 19, 2025
Tracked Since
Feb 18, 2026