Growatt Cloud Applications Authorization Bypass Vulnerability Allowing Unauthorized Data Access
Vulnerability
A vulnerability exists in Growatt cloud applications, specifically in the cloud portal versions through 3.6.0, allowing unauthorized users to access and export plant information belonging to other users. This issue arises from an authorization bypass through user-controlled keys, enabling attackers to query an API and retrieve sensitive data without proper authentication.
Impact
Exploitation of this vulnerability could lead to unauthorized access and export of plant information from other users' accounts.
Remediation
Growatt has reported that the cloud-based vulnerabilities were patched and no user action is needed. Users are advised to update all devices to the latest firmware version when available, use strong passwords, enable multi-factor authentication where applicable, and report any security concerns to Growatt's service email. CISA recommends minimizing network exposure for control system devices, using firewalls to isolate control system networks from business networks, and employing secure remote access methods like VPNs.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.