Growatt Cloud Applications EV Charger Information Disclosure Vulnerability

A vulnerability exists in Growatt Cloud Applications that allows an unauthenticated attacker to access EV charger version details and firmware upgrade history by knowing the charger ID. This issue is present in the Growatt cloud portal, in versions through 3.6.0.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information regarding EV chargers, including version details and firmware upgrade history.

Remediation

Growatt has reported that this vulnerability has been patched in the cloud-based portal. Users are advised to update their devices to the latest firmware version when available. CISA recommends minimizing network exposure for control system devices, using firewalls to isolate control system networks from business networks, and employing secure remote access methods such as VPNs.