CVE-2025-36754 is an authentication bypass vulnerability identified in the Growatt ShineLan-X device web interface, specifically version 3.6.0.0. The root cause is the improper implementation of the authentication mechanism, where the web interface lacks session tokens or any form of authentication validation on POST requests that modify device settings. This allows an attacker with limited privileges (local network access or authenticated user with low privileges) to bypass authentication controls by crafting malicious POST requests to change critical device configurations. One notable attack vector is the ability to alter the device’s domain name resolution settings, redirecting DNS queries to attacker-controlled servers. This redirection can facilitate man-in-the-middle (MitM) attacks, enabling interception, manipulation, or disruption of communications between the device and legitimate services. The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) and has a CVSS 4.0 base score of 9.3, indicating critical severity. The vector metrics indicate that the attack requires local access (AV:L), low attack complexity (AC:L), no user interaction (UI:N), and low privileges (PR:L), but results in high impact on confidentiality, integrity, and availability. No patches or exploits are currently publicly available, but the vulnerability’s nature suggests it could be weaponized quickly. The device is commonly used in solar energy management, making this a significant risk for energy infrastructure security.

For European organizations, especially those operating in the renewable energy sector, this vulnerability poses a severe risk. Unauthorized modification of device settings can lead to redirection of DNS queries, enabling attackers to intercept or manipulate communications, potentially disrupting energy management operations. This could result in loss of data confidentiality, integrity breaches, and availability issues, impacting operational continuity and safety. Given the critical infrastructure nature of solar energy systems, exploitation could have cascading effects on energy supply reliability and trust in smart grid components. Additionally, attackers could leverage this vulnerability to establish persistent footholds or pivot to other network segments. The lack of authentication enforcement increases the risk of insider threats or lateral movement within corporate networks. The absence of known exploits currently provides a window for proactive mitigation, but the critical CVSS score underscores the urgency for European organizations to address this vulnerability promptly.

1. Immediately isolate affected Growatt ShineLan-X devices from untrusted networks to limit exposure. 2. Implement strict network segmentation to restrict device access only to authorized personnel and systems. 3. Monitor network traffic for unusual DNS queries or configuration changes indicative of exploitation attempts. 4. Enforce strong access controls and authentication mechanisms at the network level, such as VPNs or zero-trust models, until a vendor patch is available. 5. Regularly audit device configurations and logs to detect unauthorized changes early. 6. Engage with Growatt support channels to obtain firmware updates or patches addressing this vulnerability as soon as they are released. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous POST requests targeting device management interfaces. 8. Educate operational technology (OT) and IT teams about this vulnerability to ensure rapid incident response readiness. 9. Where possible, replace or upgrade devices that cannot be patched promptly to minimize risk exposure.