Growatt Cloud Service Plant Transfer Authorization Bypass Vulnerability

A vulnerability exists in the Growatt cloud service's 'plant transfer' function, available on both the Growatt OSS and Server platforms, for all versions prior to June 13, 2025. The issue arises from an incorrect authorization check, allowing a malicious attacker with a valid account to transfer any plant into their account. This exploitation could go unnoticed by the end user. Such an attack could potentially disrupt the power grid by manipulating a significant number of connected plants with sufficient power at critical times.

Impact

Exploitation of this vulnerability could lead to unauthorized plant transfers, allowing attackers to manipulate energy production data and potentially disrupt power grid operations.

Remediation

The vendor has disabled the 'plant transfer' functionality in the affected cloud services. No action is required from users.