Growatt Cloud Applications Authorization Bypass Vulnerability Allowing Unauthenticated Device Enumeration

A vulnerability exists in Growatt cloud applications, specifically in the cloud portal versions through 3.6.0. The issue allows unauthenticated attackers to obtain a list of smart devices by knowing a valid username, through an unprotected API. This vulnerability is classified as an authorization bypass via user-controlled key, enabling the enumeration of devices associated with the specified username.

Impact

Exploitation of this vulnerability could lead to unauthorized access to information about smart devices linked to a user's account, potentially allowing for further actions on those devices.

Remediation

Growatt has reported that the cloud-based vulnerabilities were patched and no user action is needed. Users are advised to update all devices to the latest firmware version when available, use strong passwords, enable multi-factor authentication where applicable, and report any security concerns to Growatt's service email. CISA recommends minimizing network exposure for control system devices, using firewalls to isolate control system networks from business networks, and employing secure remote access methods like VPNs.