CVE-2025-36753 is an authentication bypass vulnerability classified under CWE-290 affecting the Growatt ShineLan-X communication dongle, specifically version 3.6.0.0. The root cause is that the Serial Wire Debug (SWD) interface, which is intended for development and debugging purposes, is enabled and accessible by default on the device. This interface allows direct low-level access to the device's internals without requiring authentication or user interaction. An attacker with physical or network proximity to the device can connect to the SWD interface and gain debug access. This access enables extraction of sensitive information such as cryptographic secrets, configuration domains, or other protected data stored within the device. The vulnerability's CVSS 4.0 score is 8.6, reflecting a high severity due to the ease of exploitation (no privileges or user interaction needed), and the high impact on confidentiality, integrity, and availability. The vulnerability could facilitate further attacks on the solar energy infrastructure managed by these devices, including manipulation of device operation or data exfiltration. No patches or firmware updates are currently listed, and no exploits have been reported in the wild. The vulnerability was reserved in April 2025 and published in December 2025 by DIVD, indicating recent discovery and disclosure.

For European organizations, especially those involved in renewable energy production and management, this vulnerability poses a significant risk. Growatt ShineLan-X dongles are used to communicate with solar inverters and energy management systems, making them critical components in energy infrastructure. Exploitation could lead to unauthorized access to device secrets, enabling attackers to manipulate energy production data, disrupt operations, or pivot to other parts of the network. Confidentiality breaches could expose sensitive operational data or credentials, while integrity attacks could alter device behavior, potentially causing energy mismanagement or outages. Availability could also be impacted if attackers disable or corrupt device functionality. The risk is heightened in countries with substantial solar energy deployment using Growatt products, as well as in critical infrastructure sectors where energy reliability is paramount.

Immediate mitigation steps include physically securing devices to prevent unauthorized access to the SWD interface. Organizations should verify if the SWD debug interface can be disabled or access-restricted via device configuration or firmware updates. If possible, update to a patched firmware version once available from Growatt. Network segmentation should be enforced to isolate these devices from broader enterprise networks, limiting attacker lateral movement. Monitoring and logging of device communications can help detect anomalous access attempts. Additionally, organizations should engage with Growatt support to obtain guidance and request timely patches. For new deployments, ensure that debug interfaces are disabled by default and that secure device provisioning processes are followed. Regular security audits of IoT and OT devices in energy environments are recommended to identify similar risks.