CVE-2025-30257 Overview
CVE-2025-30257 is an authorization vulnerability in the Growatt Cloud Portal. Unauthenticated attackers can query the platform to retrieve serial numbers of smart meters associated with a specific user account. The flaw is classified as [CWE-639] Authorization Bypass Through User-Controlled Key, a common form of Insecure Direct Object Reference (IDOR).
The issue affects the cloud portal used to manage Growatt solar and energy monitoring devices. CISA published advisory ICSA-25-105-04 covering this and related vulnerabilities in the Growatt product line.
Critical Impact
Unauthenticated network attackers can enumerate smart meter serial numbers tied to specific user accounts, exposing device inventory data that supports further targeting of energy infrastructure customers.
Affected Products
- Growatt Cloud Portal (all versions prior to the vendor fix referenced in CISA ICSA-25-105-04)
Discovery Timeline
- 2025-04-15 - CVE-2025-30257 published to NVD
- 2025-04-15 - CISA publishes ICS advisory ICSA-25-105-04
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-30257
Vulnerability Analysis
The Growatt Cloud Portal exposes an endpoint that returns smart meter serial numbers when supplied with a user identifier. The endpoint does not require authentication and does not verify that the requester is authorized to view the target account's device inventory.
An attacker interacting with the portal over the network can iterate through user identifiers and collect meter serial numbers tied to each account. The information disclosed is limited to device identifiers, but serial numbers are frequently used as trust anchors in device pairing and support workflows.
This behavior falls under [CWE-639], where authorization decisions rely on a user-controlled key rather than a server-side verified session identity. The vulnerability is network-reachable, requires no privileges, and requires no user interaction.
Root Cause
The portal's serial number lookup accepts a user account reference from the request without validating the caller's identity or entitlement to that account. Session context is not enforced on the endpoint, so any client can substitute arbitrary account identifiers.
Attack Vector
Exploitation occurs remotely over the network against the Growatt Cloud Portal's public API surface. An attacker sends crafted requests referencing target user identifiers and parses the responses to extract smart meter serial numbers. No credentials, tokens, or user interaction are required.
No public proof-of-concept exploit or exploitation-in-the-wild activity has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-30257
Indicators of Compromise
- Unauthenticated HTTP requests to Growatt Cloud Portal endpoints that reference user account identifiers or meter enumeration parameters
- Sequential or high-volume queries against portal APIs from a single source address
- Responses containing multiple distinct meter serial numbers returned to unauthenticated sessions
Detection Strategies
- Review web server and API gateway logs for unauthenticated calls to endpoints that return device serial numbers
- Alert on request patterns that iterate user identifiers within short time windows
- Correlate portal API access with known customer IP ranges to surface anomalous external enumeration
Monitoring Recommendations
- Instrument the cloud portal with structured request logging that captures caller identity, target account, and endpoint
- Track baseline query volumes per source IP and flag statistical outliers
- Monitor CISA ICS advisory updates for revised guidance on ICSA-25-105-04
How to Mitigate CVE-2025-30257
Immediate Actions Required
- Apply the vendor remediation referenced in the CISA ICS Advisory ICSA-25-105-04
- Restrict access to Growatt Cloud Portal management endpoints from untrusted networks where feasible
- Audit portal logs for prior unauthenticated enumeration of user account resources
Patch Information
Growatt has coordinated remediation through CISA. Refer to the CISA ICS Advisory ICSA-25-105-04 for the authoritative list of fixed versions and vendor mitigation guidance.
Workarounds
- Rotate or re-register meter serial numbers where the vendor supports it, if enumeration is suspected
- Enforce network-level rate limiting on portal API endpoints to slow enumeration attempts
- Require authenticated sessions for any endpoint that returns account-scoped device metadata
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

