CVE-2025-29757 is a critical security vulnerability identified in the Growatt cloud service platform, specifically affecting the 'plant transfer' functionality accessible via https://oss.growatt.com. The vulnerability is classified under CWE-863, which denotes an incorrect authorization issue. This flaw allows an attacker who already possesses a valid user account on the platform to bypass proper authorization controls and transfer ownership of any plant (solar energy installation or asset managed within the Growatt ecosystem) into their own account. The vulnerability does not require user interaction and can be exploited remotely over the network without elevated privileges beyond a valid user account. The CVSS v4.0 base score of 9.4 reflects the critical nature of this vulnerability, highlighting its high impact on confidentiality, integrity, and availability. The vector metrics indicate that the attack can be performed with low complexity (AC:L), no user interaction (UI:N), and no additional privileges beyond a valid account (PR:L). The vulnerability affects all versions indicated as '0', suggesting it may be present in initial or early releases of the product. Although no public exploits are currently known in the wild, the severity and ease of exploitation make it a significant threat. The lack of patch links indicates that a fix may not yet be publicly available, increasing the urgency for mitigation. The vulnerability could allow attackers to manipulate plant ownership records, potentially disrupting operational control, data integrity, and trust in the Growatt cloud service, which is critical for managing distributed energy resources.

For European organizations, particularly those involved in renewable energy management, solar power generation, and energy asset monitoring using Growatt products, this vulnerability poses a substantial risk. Unauthorized transfer of plant ownership could lead to loss of control over critical energy infrastructure, manipulation of energy production data, and potential financial losses due to misappropriation or fraudulent control of assets. This could disrupt energy supply chains, affect grid stability, and undermine regulatory compliance related to energy reporting and asset management. Additionally, compromised accounts could be leveraged for further attacks within the energy sector, which is a strategic industry in Europe’s green energy transition. The breach of confidentiality and integrity of plant data could also impact contractual agreements and stakeholder trust. Given the criticality of energy infrastructure, such an exploit could have cascading effects on operational continuity and national energy security in European countries heavily invested in solar energy solutions.

Immediate mitigation steps should include restricting the 'plant transfer' functionality to only highly trusted and verified accounts with multi-factor authentication (MFA) enforced. Growatt administrators should implement strict authorization checks ensuring that only authorized personnel can initiate plant transfers, ideally incorporating role-based access control (RBAC) and transaction approval workflows. Monitoring and logging of all plant transfer requests should be enhanced to detect anomalous or unauthorized activities promptly. Organizations should conduct an audit of existing plant ownership records to identify any unauthorized transfers and revert them if necessary. Until an official patch is released, network-level controls such as Web Application Firewalls (WAFs) can be configured to detect and block suspicious requests targeting the plant transfer endpoint. User education on account security and immediate revocation of compromised credentials are also critical. European organizations should engage with Growatt for timely updates and consider isolating critical energy management systems from direct internet exposure where feasible.