CVE-2025-27938 Overview
CVE-2025-27938 is an information disclosure vulnerability in the Growatt Cloud Portal. Unauthenticated attackers can retrieve restricted information about a user's smart device collections, referred to as rooms, without any authentication or user interaction. The flaw is categorized under [CWE-639] Authorization Bypass Through User-Controlled Key, an Insecure Direct Object Reference (IDOR) weakness. CISA published advisory ICSA-25-105-04 documenting the issue as it affects Growatt's cloud-connected solar energy monitoring platform. The vulnerability is exploitable remotely over the network at low attack complexity and does not require privileges.
Critical Impact
Remote unauthenticated attackers can enumerate and read metadata about user-owned smart device groupings hosted in the Growatt Cloud Portal.
Affected Products
- Growatt Cloud Portal (all versions prior to vendor remediation)
- Growatt cloud-connected inverter and monitoring devices bound to the portal
- Web and mobile clients that consume the portal's device collection APIs
Discovery Timeline
- 2025-04-15 - CVE-2025-27938 published to the National Vulnerability Database
- 2025-04-15 - CISA released ICS advisory ICSA-25-105-04 covering the Growatt Cloud Portal
- 2026-06-17 - Record last updated in NVD
Technical Details for CVE-2025-27938
Vulnerability Analysis
The Growatt Cloud Portal exposes API endpoints that return data about a user's rooms, the logical groupings that contain smart devices such as inverters, batteries, and sensors. The endpoint responsible for returning this data does not verify that the caller is authenticated or that the caller owns the referenced resource. An attacker with network access to the portal can request room information belonging to arbitrary users. The disclosed data includes device names, groupings, and related metadata that reveal how a customer has provisioned their installation. While the direct confidentiality impact is limited and there is no integrity or availability impact, the leaked context supports reconnaissance for targeted attacks against Internet-facing energy assets.
Root Cause
The root cause is a missing authorization check on API requests that reference resource identifiers under user control [CWE-639]. The backend trusts the identifier passed in the request rather than validating it against the authenticated session. Because the endpoint also fails to require authentication, an attacker does not need credentials to trigger the disclosure.
Attack Vector
An attacker sends crafted HTTP requests to the affected Growatt Cloud Portal API from any Internet-connected host. By iterating through room or user identifiers, the attacker enumerates records belonging to other tenants. No user interaction, phishing, or prior foothold is required. Public code examples are not available; refer to the CISA ICS Advisory ICSA-25-105-04 for vendor-supplied technical details.
Detection Methods for CVE-2025-27938
Indicators of Compromise
- Unauthenticated HTTP requests to Growatt Cloud Portal API paths that reference room or device collection identifiers.
- High-volume sequential enumeration of numeric resource identifiers from a single source IP.
- Requests to portal endpoints from source IPs that have no history of legitimate user sessions.
Detection Strategies
- Inspect web server and API gateway logs for requests to device collection endpoints that lack a valid session cookie or bearer token.
- Alert on identifier enumeration patterns where the same client requests many sequential resource IDs in a short window.
- Correlate portal access logs with known customer IP ranges to identify anomalous geographies or hosting-provider ASNs.
Monitoring Recommendations
- Forward Growatt Cloud Portal access logs, if operating the portal on-premises or via reseller infrastructure, to a centralized SIEM.
- Baseline normal request rates per client and alert on deviations above a defined threshold.
- Track HTTP response sizes on device collection endpoints; large or repeated 200 responses to unauthenticated clients indicate active abuse.
How to Mitigate CVE-2025-27938
Immediate Actions Required
- Apply the Growatt-published fix or configuration update referenced in CISA ICS Advisory ICSA-25-105-04 as soon as it is available for your deployment.
- Restrict inbound access to portal management interfaces to trusted networks where feasible.
- Rotate any API keys or tokens associated with exposed accounts and audit recent portal activity for reconnaissance.
Patch Information
Growatt operates the Cloud Portal as a hosted service. Vendor-side remediation is delivered via server-side updates rather than a customer-installable patch. Consult the CISA ICS Advisory ICSA-25-105-04 for the current fix status and any customer actions required.
Workarounds
- Place a web application firewall or reverse proxy in front of any self-hosted portal component and block unauthenticated requests to device collection endpoints.
- Enforce strict rate limiting on portal API endpoints to slow enumeration attempts.
- Limit the sensitivity of information stored in room names and descriptions to reduce the value of disclosed data.
# Example WAF rule concept: block unauthenticated access to room APIs
# ModSecurity-style pseudo-rule
SecRule REQUEST_URI "@rx /api/.*/(room|rooms|deviceCollection)" \
"id:1002793,phase:1,deny,status:401,\
chain,msg:'Block unauth access to Growatt room endpoints (CVE-2025-27938)'"
SecRule &REQUEST_HEADERS:Authorization "@eq 0" \
"chain"
SecRule &REQUEST_COOKIES:session "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

