Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-31950

CVE-2025-31950: Growatt Cloud Portal Info Disclosure Flaw

CVE-2025-31950 is an information disclosure vulnerability in Growatt Cloud Portal that allows unauthenticated attackers to access EV charger energy consumption data. This article covers technical details, impact, and mitigations.

Published:

CVE-2025-31950 Overview

CVE-2025-31950 is an authorization flaw in the Growatt Cloud Portal. An unauthenticated remote attacker can retrieve electric vehicle (EV) charger energy consumption information belonging to other users. The weakness is classified as [CWE-639] Authorization Bypass Through User-Controlled Key, commonly referred to as an Insecure Direct Object Reference (IDOR).

The issue affects the cloud-hosted portal that manages Growatt solar and EV charging products. Exploitation requires no authentication, no user interaction, and can be performed over the network. Successful exploitation exposes usage telemetry tied to other customers, enabling profiling of charging habits, presence patterns, and household activity.

Critical Impact

Unauthenticated attackers can enumerate EV charger consumption records of arbitrary Growatt Cloud Portal users, exposing customer usage patterns and enabling behavioral profiling.

Affected Products

  • Growatt Cloud Portal (vendor-hosted cloud service)
  • EV charger endpoints managed through the Growatt Cloud Portal
  • Customer accounts whose consumption data is stored in the portal

Discovery Timeline

  • 2025-04-15 - CVE-2025-31950 published to NVD
  • 2025-04-15 - CISA ICS Advisory ICSA-25-105-04 published
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-31950

Vulnerability Analysis

The Growatt Cloud Portal exposes an endpoint that returns EV charger energy consumption data. The endpoint accepts a user-controlled identifier that references the target record but does not validate whether the requester is authorized to access that record. Because the check is missing entirely, no session or API token is required to invoke the endpoint successfully.

An attacker who can reach the portal over the internet can iterate through identifiers and harvest consumption data for other users. The data itself is not credential material, but it reveals when users charge vehicles, the volumes involved, and derivable habits such as commuting patterns and occupancy of a home or business.

The vulnerability is a server-side authorization defect. Client-side application logic and mobile companion apps are not the root cause. Patching must occur in the cloud service, which Growatt operates directly.

Root Cause

The root cause is missing authorization enforcement on a request handler that returns per-user consumption records. The handler trusts a user-controlled key from the request rather than deriving the target user from an authenticated session context. This matches the pattern described in [CWE-639].

Attack Vector

The attack vector is network-based against the vendor-hosted portal. An attacker sends crafted HTTP requests referencing another user's identifier and receives the associated EV charger consumption information in the response. No authentication or user interaction is required.

No verified proof-of-concept code is published. Refer to the CISA ICS Advisory ICSA-25-105-04 for authoritative technical details.

Detection Methods for CVE-2025-31950

Indicators of Compromise

  • Unauthenticated HTTP requests to Growatt Cloud Portal endpoints that return per-user consumption data.
  • Sequential or enumerated identifier values in query strings or request bodies targeting consumption or EV charger APIs.
  • High-volume requests originating from a single source IP or a small set of source IPs against the portal.

Detection Strategies

  • Review portal access logs for requests to consumption or EV charger endpoints that lack a valid session or authorization header.
  • Alert on identifier enumeration patterns, such as monotonically incrementing user or device IDs in successive requests.
  • Baseline normal request rates per source IP against the portal and flag statistical outliers.

Monitoring Recommendations

  • Forward Growatt Cloud Portal and upstream reverse-proxy logs to a centralized analytics platform for correlation.
  • Track response payload sizes on consumption endpoints to identify bulk data retrieval by unauthorized callers.
  • Monitor for repeated 200 OK responses to unauthenticated requests on endpoints that should require authentication.

How to Mitigate CVE-2025-31950

Immediate Actions Required

  • Confirm with Growatt that the cloud-side fix has been deployed to your tenant, as remediation is controlled by the vendor.
  • Review historical portal activity for signs of prior data harvesting against your account.
  • Restrict administrative and installer accounts to strong, unique credentials and enable any available multi-factor authentication on the portal.

Patch Information

Growatt Cloud Portal is a vendor-hosted service, and remediation is applied server-side by the vendor rather than through a customer-installed patch. Consult the CISA ICS Advisory ICSA-25-105-04 for the vendor's remediation status and any customer actions required.

Workarounds

  • No customer-side workaround fully mitigates a server-side authorization flaw; rely on the vendor fix.
  • Where possible, limit exposure of installer and end-user accounts and rotate credentials associated with the portal.
  • Assume EV charger consumption data may have been exposed and inform affected stakeholders as required by local privacy regulations.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.