CVE-2025-36747 identifies a critical security vulnerability in the Growatt ShineLan-X product, specifically firmware version 3.6.0.0. The root cause is the presence of hard-coded credentials for an FTP server embedded within the device firmware, classified under CWE-798 (Use of Hard-coded Credentials). This design flaw allows an attacker to connect to the FTP server without requiring authentication, user interaction, or elevated privileges. Once connected, the attacker can upload or replace files on the device. Compounding the risk, the firmware lacks enforced signature verification, meaning malicious files can be deployed and executed without detection. This undermines the integrity and availability of the device, potentially enabling persistent compromise, manipulation of device behavior, or disruption of services. The vulnerability has been assigned a CVSS 4.0 score of 9.4, indicating critical severity with high impact on confidentiality, integrity, and availability. The attack vector is adjacent network access (AV:A), requiring no privileges or user interaction, making exploitation feasible in environments where network access to the device exists. No public exploits have been reported yet, but the vulnerability's nature and severity suggest a high risk if left unmitigated. The affected product, Growatt ShineLan-X, is commonly used in solar energy management, making this vulnerability particularly relevant to energy infrastructure security.

For European organizations, especially those in the renewable energy sector utilizing Growatt ShineLan-X devices, this vulnerability poses significant risks. Exploitation could lead to unauthorized modification of device firmware or configuration files, resulting in operational disruptions, inaccurate energy reporting, or complete device failure. This could affect grid stability, energy production monitoring, and contractual energy delivery commitments. Confidentiality could be compromised if attackers access sensitive operational data via the FTP server. Integrity is severely impacted due to the ability to replace legitimate files with malicious ones, potentially enabling persistent backdoors or sabotage. Availability is at risk if devices are rendered non-functional or manipulated to disrupt energy flows. Given the criticality of energy infrastructure in Europe and increasing regulatory scrutiny, such compromises could lead to regulatory penalties, financial losses, and reputational damage. The lack of firmware signature enforcement exacerbates the threat, as it removes a key security control that would otherwise prevent unauthorized firmware modifications.

Immediate mitigation steps include: 1) Applying any available firmware updates or patches from Growatt that remove hard-coded credentials and implement proper authentication and signature verification. 2) If patches are unavailable, disable or restrict FTP services on ShineLan-X devices to prevent unauthorized access. 3) Implement network segmentation and firewall rules to limit access to the devices’ management interfaces and FTP ports only to trusted administrators and systems. 4) Monitor network traffic for unusual FTP connections or file transfers indicative of exploitation attempts. 5) Conduct regular integrity checks of device firmware and configuration files to detect unauthorized changes. 6) Engage with Growatt support to obtain guidance and timelines for secure firmware releases. 7) Incorporate this vulnerability into incident response and risk management plans, prioritizing affected assets for remediation. 8) Educate operational technology (OT) and IT teams about the risks associated with hard-coded credentials and insecure update mechanisms to prevent similar issues in other devices.