CVE-2025-36751 identifies a critical security vulnerability in the Growatt ShineLan-X and MIC 3300TL-X solar inverter products, specifically version 3.6.0.0. The core issue is the absence of encryption on the configuration interface used for communication between the inverter and its cloud endpoint. This lack of encryption (CWE-311) means that any attacker with access to the same network segment can intercept sensitive data transmitted between the device and cloud services. Furthermore, the attacker can manipulate these communications, potentially altering inverter configurations or commands. The vulnerability does not require authentication or user interaction, making exploitation straightforward for anyone on the network. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) reflects that the attack can be performed remotely over a local network with low complexity and no privileges, and it can cause high confidentiality, integrity, and availability impacts. Although no public exploits are known yet, the critical severity score of 9.4 highlights the urgency of addressing this issue. The vulnerability affects energy infrastructure components that are increasingly critical in Europe’s renewable energy landscape, raising concerns about potential disruptions or unauthorized data access. No patches are currently listed, indicating that organizations must rely on interim mitigations until vendor fixes are released.

For European organizations, this vulnerability poses significant risks to the confidentiality, integrity, and availability of solar energy infrastructure. Interception of unencrypted communications could expose sensitive operational data, including configuration settings and performance metrics, potentially leading to privacy violations or competitive intelligence leaks. Manipulation of inverter commands could disrupt energy production, cause equipment damage, or destabilize grid operations, especially in facilities relying heavily on Growatt inverters. Given the increasing reliance on renewable energy sources across Europe, such disruptions could have cascading effects on energy supply stability and operational costs. Additionally, compromised inverters could be leveraged as entry points for broader network intrusions, threatening organizational IT security. The absence of encryption also raises compliance concerns under European data protection regulations, such as GDPR, if personal or operational data is exposed. Overall, the vulnerability undermines trust in critical energy infrastructure and necessitates urgent attention from operators and regulators.

1. Network Segmentation: Isolate Growatt inverter devices on dedicated network segments with strict access controls to limit attacker access. 2. Use VPNs or Encrypted Tunnels: Where possible, route inverter communications through secure VPNs or encrypted tunnels to compensate for the lack of native encryption. 3. Monitor Network Traffic: Deploy intrusion detection systems (IDS) and network monitoring tools to detect unusual traffic patterns or unauthorized access attempts targeting inverter devices. 4. Restrict Physical and Network Access: Limit physical and network access to inverter management interfaces to trusted personnel and systems only. 5. Vendor Engagement: Maintain close communication with Growatt for timely patch releases and apply updates immediately upon availability. 6. Incident Response Preparedness: Develop and test incident response plans specific to energy infrastructure compromise scenarios. 7. Configuration Hardening: Disable unnecessary services and change default credentials on inverter devices to reduce attack surface. 8. Logging and Auditing: Enable detailed logging of inverter communications and regularly audit logs for signs of tampering or interception. 9. Alternative Communication Channels: Evaluate the feasibility of using alternative, secure communication methods for inverter management until patches are available.