CVE-2025-24487 Overview
CVE-2025-24487 is a username enumeration vulnerability in the Growatt Cloud Portal. An unauthenticated attacker can query an exposed API endpoint to determine whether a given username exists in the system. The flaw is categorized under CWE-639: Authorization Bypass Through User-Controlled Key and affects a cloud-based solar monitoring platform. While the vulnerability does not directly expose credentials or system data, it provides reconnaissance value for adversaries preparing credential stuffing, password spraying, or targeted phishing campaigns against confirmed accounts.
Critical Impact
Unauthenticated remote attackers can enumerate valid usernames in the Growatt Cloud Portal, enabling account-focused attacks against operators of internet-connected solar energy monitoring infrastructure.
Affected Products
- Growatt Cloud Portal (all versions prior to vendor remediation)
- Web-facing API endpoints exposed by the cloud portal
- Associated Growatt account authentication services
Discovery Timeline
- 2025-04-15 - CVE-2025-24487 published to the National Vulnerability Database
- 2025-04-15 - CISA released ICS Advisory ICSA-25-105-04
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-24487
Vulnerability Analysis
The Growatt Cloud Portal exposes an application programming interface (API) that responds differently based on whether a submitted username exists in the backend user store. An attacker sending crafted requests can distinguish valid accounts from invalid ones by observing response content, status codes, or timing differences. No authentication or authorization is required to interact with the affected endpoint, which makes automated enumeration straightforward.
This vulnerability sits within the broader class of information disclosure flaws. It does not directly grant access to devices connected to the Growatt platform, but it lowers the cost of subsequent attacks. Given that Growatt Cloud Portal manages solar photovoltaic monitoring and control functions, enumerated accounts represent operator identities linked to physical energy assets.
Root Cause
The root cause is inconsistent API responses that reveal account existence. Secure authentication and password reset flows should return identical responses whether an account exists or not. Here, the API discloses account state through observable differences, satisfying the conditions for CWE-639 style user-key enumeration.
Attack Vector
The attack vector is network-based and requires no user interaction or privileges. An adversary iterates through candidate usernames — such as email addresses harvested from breach corpora or company directories — and records which values produce a positive indicator from the API. The resulting list of confirmed usernames is then used for credential stuffing, password spraying, or spear phishing targeting Growatt operators. Refer to the CISA ICS Advisory ICSA-25-105-04 for vendor-supplied technical context.
Detection Methods for CVE-2025-24487
Indicators of Compromise
- High-volume sequential requests to Growatt Cloud Portal authentication or account-lookup API endpoints from a single source IP or narrow address range.
- Repeated requests differing only by the username or email parameter, characteristic of enumeration scripts.
- Requests originating from hosting providers, VPN exit nodes, or Tor egress points targeting the portal API.
Detection Strategies
- Monitor web application firewall (WAF) and API gateway logs for burst patterns against username-bearing endpoints.
- Baseline normal login and account-lookup request rates, then alert on statistical deviations per source identifier.
- Correlate enumeration attempts with subsequent authentication failures to identify credential stuffing follow-through.
Monitoring Recommendations
- Enable verbose logging on all Growatt Cloud Portal API endpoints that accept a username or email parameter.
- Forward portal access logs to a centralized SIEM or data lake for cross-source correlation and retention.
- Track enumerated account identifiers against later successful logins to detect potential account takeover.
How to Mitigate CVE-2025-24487
Immediate Actions Required
- Review the CISA ICS Advisory ICSA-25-105-04 and apply vendor guidance issued by Growatt.
- Rate-limit and throttle unauthenticated requests to authentication and account-lookup endpoints at the network edge.
- Enforce multi-factor authentication (MFA) on all Growatt Cloud Portal accounts to reduce the value of enumerated usernames.
Patch Information
Growatt addressed this issue in the Cloud Portal per the coordinated disclosure documented in CISA ICSA-25-105-04. Because the Cloud Portal is a vendor-managed service, remediation is delivered server-side by Growatt rather than through customer-installed updates. Operators should confirm with Growatt that their tenant is on the remediated backend and review account activity for signs of prior enumeration.
Workarounds
- Restrict source networks permitted to access the Growatt Cloud Portal where operationally feasible.
- Deploy a WAF rule to block or challenge sequential username-parameter probing patterns.
- Rotate or reset operator account identifiers that were exposed in prior credential leaks to reduce guessability.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

