CVE-2025-31950 Overview
CVE-2025-31950 is an authorization flaw in the Growatt Cloud Portal. An unauthenticated remote attacker can retrieve electric vehicle (EV) charger energy consumption information belonging to other users. The weakness is classified as [CWE-639] Authorization Bypass Through User-Controlled Key, commonly referred to as an Insecure Direct Object Reference (IDOR).
The issue affects the cloud-hosted portal that manages Growatt solar and EV charging products. Exploitation requires no authentication, no user interaction, and can be performed over the network. Successful exploitation exposes usage telemetry tied to other customers, enabling profiling of charging habits, presence patterns, and household activity.
Critical Impact
Unauthenticated attackers can enumerate EV charger consumption records of arbitrary Growatt Cloud Portal users, exposing customer usage patterns and enabling behavioral profiling.
Affected Products
- Growatt Cloud Portal (vendor-hosted cloud service)
- EV charger endpoints managed through the Growatt Cloud Portal
- Customer accounts whose consumption data is stored in the portal
Discovery Timeline
- 2025-04-15 - CVE-2025-31950 published to NVD
- 2025-04-15 - CISA ICS Advisory ICSA-25-105-04 published
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-31950
Vulnerability Analysis
The Growatt Cloud Portal exposes an endpoint that returns EV charger energy consumption data. The endpoint accepts a user-controlled identifier that references the target record but does not validate whether the requester is authorized to access that record. Because the check is missing entirely, no session or API token is required to invoke the endpoint successfully.
An attacker who can reach the portal over the internet can iterate through identifiers and harvest consumption data for other users. The data itself is not credential material, but it reveals when users charge vehicles, the volumes involved, and derivable habits such as commuting patterns and occupancy of a home or business.
The vulnerability is a server-side authorization defect. Client-side application logic and mobile companion apps are not the root cause. Patching must occur in the cloud service, which Growatt operates directly.
Root Cause
The root cause is missing authorization enforcement on a request handler that returns per-user consumption records. The handler trusts a user-controlled key from the request rather than deriving the target user from an authenticated session context. This matches the pattern described in [CWE-639].
Attack Vector
The attack vector is network-based against the vendor-hosted portal. An attacker sends crafted HTTP requests referencing another user's identifier and receives the associated EV charger consumption information in the response. No authentication or user interaction is required.
No verified proof-of-concept code is published. Refer to the CISA ICS Advisory ICSA-25-105-04 for authoritative technical details.
Detection Methods for CVE-2025-31950
Indicators of Compromise
- Unauthenticated HTTP requests to Growatt Cloud Portal endpoints that return per-user consumption data.
- Sequential or enumerated identifier values in query strings or request bodies targeting consumption or EV charger APIs.
- High-volume requests originating from a single source IP or a small set of source IPs against the portal.
Detection Strategies
- Review portal access logs for requests to consumption or EV charger endpoints that lack a valid session or authorization header.
- Alert on identifier enumeration patterns, such as monotonically incrementing user or device IDs in successive requests.
- Baseline normal request rates per source IP against the portal and flag statistical outliers.
Monitoring Recommendations
- Forward Growatt Cloud Portal and upstream reverse-proxy logs to a centralized analytics platform for correlation.
- Track response payload sizes on consumption endpoints to identify bulk data retrieval by unauthorized callers.
- Monitor for repeated 200 OK responses to unauthenticated requests on endpoints that should require authentication.
How to Mitigate CVE-2025-31950
Immediate Actions Required
- Confirm with Growatt that the cloud-side fix has been deployed to your tenant, as remediation is controlled by the vendor.
- Review historical portal activity for signs of prior data harvesting against your account.
- Restrict administrative and installer accounts to strong, unique credentials and enable any available multi-factor authentication on the portal.
Patch Information
Growatt Cloud Portal is a vendor-hosted service, and remediation is applied server-side by the vendor rather than through a customer-installed patch. Consult the CISA ICS Advisory ICSA-25-105-04 for the vendor's remediation status and any customer actions required.
Workarounds
- No customer-side workaround fully mitigates a server-side authorization flaw; rely on the vendor fix.
- Where possible, limit exposure of installer and end-user accounts and rotate credentials associated with the portal.
- Assume EV charger consumption data may have been exposed and inform affected stakeholders as required by local privacy regulations.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

