Growatt Cloud Applications Unauthenticated Information Disclosure Vulnerability

A vulnerability exists in Growatt Cloud Applications, specifically in the cloud portal versions through 3.6.0, allowing unauthenticated attackers to access restricted information about a user's smart device collections, referred to as 'rooms'. This vulnerability is categorized as an authorization bypass through user-controlled keys, enabling the exploitation of an unprotected API to retrieve sensitive data without proper authentication.

Impact

Exploitation of this vulnerability could lead to unauthorized access to personal smart device collection information, including 'rooms' and 'scenes', associated with the targeted user.

Remediation

Growatt has reported that the cloud-based vulnerabilities have been patched and no user action is needed. Additionally, Growatt recommends that users update all devices to the latest firmware version when available, use strong passwords, enable multi-factor authentication where applicable, and report any security concerns to Service@Growatt.com. CISA advises minimizing network exposure for control system devices, locating them behind firewalls, and using secure remote access methods like VPNs.