GrowattCVEs & Vulnerabilities
30 CVEs affecting Growatt products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.
Most Affected Products
An unauthenticated attacker can obtain EV charger energy consumption information of other users.
An unauthenticated attacker can obtain other users' charger information.
An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
An attacker can upload an arbitrary file instead of a plant image.
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
Unauthenticated attackers can query an API endpoint and get device details.
An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
Unauthenticated attackers can rename "rooms" of arbitrary users.
Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).
An unauthenticated attacker can hijack other users' devices and potentially control them.
An attacker can export other users' plant information.
Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
An authenticated attacker can obtain any plant name by knowing the plant ID.
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
An unauthenticated attacker can check the existence of usernames in the system by querying an API.
An unauthenticated attacker can obtain a user's plant list by knowing the username.
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.
An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
An attacker can change registered email addresses of other users and take over arbitrary accounts.
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.
An unauthenticated attacker can infer the existence of usernames in the system by querying an API.