CVE-2025-36748 is a stored cross-site scripting (XSS) vulnerability categorized under CWE-79 affecting the Growatt ShineLan-X product, version 3.6.0.0. The vulnerability resides in the local configuration web server of the device, specifically within the communication module’s settings center, where user input is improperly neutralized during web page generation. An attacker can inject malicious JavaScript code snippets into this settings interface, which are then stored and executed in the context of any legitimate user's browser who accesses the affected web interface. This stored XSS does not require user interaction or authentication, making it remotely exploitable over the network (AV:N) with low attack complexity (AC:L). The vulnerability impacts confidentiality heavily (VC:H), with limited impact on availability and integrity. The scope is limited to the local web server but can affect all users accessing the interface. The CVSS 4.0 score of 8.4 reflects the high severity and potential for significant compromise, including session hijacking, credential theft, or unauthorized command execution within the browser context. No patches are currently available, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the importance of secure input validation and output encoding in embedded device web interfaces, especially in critical infrastructure components like solar energy management systems.

For European organizations, the impact of this vulnerability can be substantial, particularly for those relying on Growatt ShineLan-X devices for solar energy management and monitoring. Exploitation could lead to unauthorized access to sensitive configuration data, theft of user credentials, or manipulation of device settings through the victim’s browser. This could disrupt energy management operations, lead to data breaches, or facilitate further network intrusion. Given the increasing adoption of renewable energy solutions in Europe, including solar power systems integrated into critical infrastructure and commercial facilities, the risk extends beyond individual devices to broader operational continuity and data integrity. Additionally, attackers could leverage this vulnerability as a foothold to pivot into internal networks, especially if the devices are accessible remotely or insufficiently segmented. The lack of required user interaction or authentication increases the likelihood of exploitation in environments where the device’s web interface is exposed or accessible to multiple users.

1. Immediately restrict access to the ShineLan-X local configuration web server by implementing network segmentation and firewall rules to limit access only to trusted administrators and internal networks. 2. Employ VPN or secure tunnels for remote access to the device’s management interface to prevent unauthorized external access. 3. Implement strict input validation and output encoding on the communication module’s settings center to neutralize potentially malicious scripts; if possible, apply vendor-provided patches or updates once available. 4. Monitor device logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected JavaScript payloads or anomalous configuration changes. 5. Educate administrators and users about the risks of stored XSS and enforce the principle of least privilege for device management accounts. 6. If patching is not immediately possible, consider disabling or limiting the use of the vulnerable web interface and use alternative management methods if supported. 7. Regularly audit and update device firmware and software to incorporate security fixes and improvements.