Growatt Cloud Applications Username Enumeration Vulnerability

A vulnerability exists in Growatt Cloud Applications, specifically in the cloud portal versions through 3.6.0, allowing unauthenticated attackers to infer the existence of usernames by querying an API. This authorization bypass through user-controlled keys could lead to unauthorized access to user information and actions on behalf of the user.

Impact

Exploitation of this vulnerability could allow an attacker to bypass authorization and access or manipulate user-related data and actions.

Remediation

Growatt has reported that the cloud-based vulnerabilities were patched and no user action is needed. Additionally, users are advised to update all devices to the latest firmware version when available, use strong passwords, enable multi-factor authentication where applicable, and report any security concerns to Growatt's service email. CISA recommends minimizing network exposure for control system devices, using firewalls to isolate control system networks from business networks, and employing secure remote access methods like VPNs.