Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30514

CVE-2025-30514: Growatt Cloud Portal Info Disclosure Flaw

CVE-2025-30514 is an information disclosure vulnerability in Growatt Cloud Portal that allows unauthenticated attackers to access restricted smart device collection data. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-30514 Overview

CVE-2025-30514 is an authorization flaw in the Growatt Cloud Portal. Unauthenticated remote attackers can retrieve restricted information about a user's smart device collections, referred to as "scenes." The weakness maps to [CWE-639] Authorization Bypass Through User-Controlled Key, indicating the platform relies on client-supplied identifiers without enforcing session-based access checks. Because the vector is network-facing and requires no privileges or user interaction, any remote actor with knowledge of the endpoint can enumerate scene data belonging to arbitrary Growatt customers. CISA published advisory ICSA-25-105-04 covering this and related Growatt issues.

Critical Impact

Unauthenticated attackers can enumerate and read private smart device scene configurations tied to Growatt Cloud Portal accounts.

Affected Products

  • Growatt Cloud Portal (cloud-hosted service)
  • Growatt smart device management scenes exposed through the portal API
  • Customer accounts registered to the Growatt Cloud Portal at the time of disclosure

Discovery Timeline

  • 2025-04-15 - CVE-2025-30514 published to the National Vulnerability Database
  • 2025-04-15 - CISA releases ICS advisory ICSA-25-105-04 covering Growatt Cloud Portal issues
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-30514

Vulnerability Analysis

The Growatt Cloud Portal exposes API endpoints that return metadata about user-defined scenes. A scene groups smart devices and automation rules associated with a specific Growatt account. The affected endpoints accept identifiers that reference scene records but fail to verify that the requesting caller owns the referenced resource. Because the endpoints also do not require an authenticated session, an unauthenticated remote actor can issue crafted requests and receive scene data belonging to other users. The disclosure is limited to confidentiality: integrity and availability of the underlying devices are not directly affected. The attack scales through simple enumeration of identifier values across the Growatt customer base.

Root Cause

The root cause is broken object-level authorization on scene-related API routes. The service trusts identifiers supplied by the caller and skips both authentication and ownership validation. This aligns with the classic [CWE-639] pattern where a user-controlled key becomes the sole gate to a protected resource.

Attack Vector

An attacker sends HTTP requests to the Growatt Cloud Portal API using scene identifiers. No credentials, tokens, or user interaction are required. The attacker iterates identifier values to harvest scene metadata for multiple accounts. Refer to the CISA ICS Advisory ICSA-25-105-04 for the vendor-coordinated technical description.

No verified proof-of-concept code is public. The vulnerability mechanism is described in prose only because reliable exploit artifacts are not available in trusted sources.

Detection Methods for CVE-2025-30514

Indicators of Compromise

  • Bursts of anonymous HTTP requests to Growatt Cloud Portal scene endpoints originating from a small set of source IP addresses
  • Sequential or high-cardinality iteration of scene identifier parameters in web server logs
  • Successful HTTP 200 responses to requests that carry no session cookie or bearer token
  • Traffic to Growatt API hostnames from user agents inconsistent with the official Growatt mobile or web clients

Detection Strategies

  • Analyze cloud portal access logs for unauthenticated requests that return scene payloads and correlate by client IP and request rate
  • Build anomaly rules that flag identifier enumeration patterns, such as monotonically increasing numeric IDs across short time windows
  • Alert on API responses whose size or field set matches known scene objects when the request lacks an authenticated principal

Monitoring Recommendations

  • Forward Growatt Cloud Portal and upstream API gateway logs to a central analytics platform for retention and search
  • Track baseline volumes of anonymous requests per endpoint and alert on deviations exceeding historical norms
  • Review the CISA ICS Advisory ICSA-25-105-04 periodically for updated indicators and vendor remediation status

How to Mitigate CVE-2025-30514

Immediate Actions Required

  • Confirm with Growatt that the server-side fix for CVE-2025-30514 has been deployed to your tenant region
  • Review scene configurations for sensitive location or scheduling data that may have been exposed and rotate any secrets referenced within them
  • Restrict outbound access from operational networks to the Growatt Cloud Portal to authorized management hosts only
  • Subscribe to CISA ICS advisory notifications for future Growatt disclosures

Patch Information

Remediation for CVE-2025-30514 is delivered server-side by Growatt on the Cloud Portal service. End users do not apply a client patch. Consult the CISA ICS Advisory ICSA-25-105-04 and Growatt support channels to confirm the fix is active for your account and region.

Workarounds

  • Limit publication of Growatt account identifiers and scene metadata in third-party integrations while the fix is verified
  • Where possible, segment smart devices so that scene disclosure does not reveal facility layout, occupancy, or credentialed automation targets
  • Monitor Growatt Cloud Portal API traffic at the network egress point for anomalous query patterns until vendor confirmation is received
bash
# Example egress restriction to limit Growatt Cloud Portal access to approved hosts
iptables -A OUTPUT -p tcp -d server.growatt.com --dport 443 -m owner --uid-owner growatt-mgmt -j ACCEPT
iptables -A OUTPUT -p tcp -d server.growatt.com --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.