CVE-2025-29757 | THREATINT

Description

An incorrect authorisation check in the the 'plant transfer' function of the Growatt cloud service allowed a malicous attacker with a valid account to transfer any plant into his/her account.

PUBLISHED Reserved 2025-03-11 | Published 2025-07-19 | Updated 2025-07-22 | Assigner DIVD

CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/S:P/V:C

Problem types

CWE-863 Incorrect Authorization

Product status

Default status

unaffected

Any version before 13 Jun 2025

affected

Default status

unaffected

Any version before 13 June 2025

affected

Credits

Humza Ahmad finder

Frank Breedijk (DIVD) analyst

References

server.growatt.com product

oss.growatt.com product

csirt.divd.nl/CVE-2025-29757 third-party-advisory

csirt.divd.nl/DIVD-2025-00011 third-party-advisory

cve.org (CVE-2025-29757)

nvd.nist.gov (CVE-2025-29757)

Download JSON