CVE-2025-36751 identifies a critical security vulnerability in the Growatt ShineLan-X and MIC 3300TL-X solar inverter models, specifically version 3.6.0.0. The core issue is the absence of encryption on the configuration interface, which is responsible for communication between the inverter and its cloud management endpoint. This lack of encryption (classified under CWE-311: Missing Encryption of Sensitive Data) means that any attacker with access to the local network can intercept the data exchanged, including configuration commands and status information. Furthermore, the attacker can manipulate these communications, potentially altering inverter behavior or injecting malicious commands. The vulnerability has a CVSS 4.0 base score of 9.4, reflecting critical severity due to its high impact on confidentiality, integrity, and availability, combined with low attack complexity and no need for authentication or user interaction. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk to the security and reliability of solar energy systems using these devices. The lack of encryption exposes sensitive operational data and control mechanisms, which could be leveraged to disrupt energy production or cause physical damage. The vulnerability was published on December 13, 2025, with no patches currently available, emphasizing the need for immediate mitigation measures.

For European organizations, this vulnerability poses a substantial threat to the security and reliability of solar energy infrastructure. Interception and manipulation of inverter communications could lead to unauthorized control over energy production, resulting in operational disruptions or damage to equipment. Confidential data leakage could expose sensitive operational parameters or user information. Given the increasing reliance on renewable energy in Europe, such attacks could have cascading effects on energy grids, especially in regions with high penetration of Growatt inverters. The potential for attackers to manipulate inverter settings without detection threatens both the integrity and availability of energy services. This could impact industrial, commercial, and residential users, undermining trust in renewable energy solutions and potentially causing financial losses and safety hazards.

Since no patches are currently available for CVE-2025-36751, European organizations should implement immediate compensating controls. First, isolate Growatt ShineLan-X and MIC 3300TL-X devices on dedicated network segments with strict access controls to limit exposure. Employ network monitoring and intrusion detection systems to identify unusual traffic patterns or unauthorized access attempts targeting inverter communication interfaces. Use VPNs or encrypted tunnels where possible to secure communication paths. Regularly audit device configurations and network logs for signs of tampering. Engage with Growatt for updates on patch availability and apply them promptly once released. Additionally, consider deploying endpoint security solutions capable of detecting anomalous device behavior. For new deployments, evaluate alternative inverter models with robust security features including encrypted communication. Finally, raise awareness among operational technology teams about this vulnerability and enforce strict physical and network access policies to reduce risk.