cbcvebase.

Growatt Shine Lan-X Firmware vulnerabilities

5 known vulnerabilities affecting growatt/shine_lan-x_firmware.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2025-36752P2CRITICALCVSS 9.8≥ 3.6.0.0, < 3.6.0.22025-12-13
CVE-2025-36752 [CRITICAL] CWE-798 CVE-2025-36752: Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credent Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.
nvd
CVE-2025-36747P2CRITICALCVSS 9.8≥ 3.6.0.0, < 3.6.0.22025-12-13
CVE-2025-36747 [CRITICAL] CWE-798 CVE-2025-36747: ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing t ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.
nvd
CVE-2025-36753P2CRITICALCVSS 9.8≥ 3.6.0.0, < 3.6.0.22025-12-13
CVE-2025-36753 [CRITICAL] CWE-290 CVE-2025-36753: The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allo The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device
nvd
CVE-2025-36750P4MEDIUMCVSS 5.4≥ 3.6.0.0, < 3.6.0.22025-12-13
CVE-2025-36750 [MEDIUM] CWE-79 CVE-2025-36750: ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTM ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.
nvd
CVE-2025-36748P4MEDIUMCVSS 5.4≥ 3.6.0.0, < 3.6.0.22025-12-13
CVE-2025-36748 [MEDIUM] CWE-79 CVE-2025-36748: ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.
nvd
Growatt Shine Lan-X Firmware vulnerabilities | cvebase