CVE-2025-36752

CRITICAL

Growatt ShineLan-X Firmware 3.6.0.0-3.6.0.1 - Use of Hard-coded Credentials

Title source: llm
STIX 2.1

Description

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.

References (1)

Core 1
Core References
Third Party Advisory third-party-advisory
https://csirt.divd.nl/CVE-2025-36752/

Scores

CVSS v3 9.8
EPSS 0.0029
EPSS Percentile 20.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-798
Status published
Products (1)
growatt/shine_lan-x_firmware 3.6.0.0 - 3.6.0.2
Published Dec 13, 2025
Tracked Since Feb 18, 2026