Growatt Cloud Applications Energy Consumption Information Disclosure Vulnerability

A vulnerability exists in Growatt cloud applications, specifically in the cloud portal versions through 3.6.0, allowing unauthenticated attackers to query and obtain information about the total energy consumed by electric vehicle (EV) chargers belonging to arbitrary users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive user data, specifically energy consumption information from EV chargers.

Remediation

Growatt has reported that the cloud-based vulnerabilities were patched and no user action is needed. Users are advised to update all devices to the latest firmware version when available, use strong passwords, enable multi-factor authentication where applicable, and report any security concerns to Growatt's service email. CISA also recommends minimizing network exposure for control system devices, using firewalls to isolate control system networks from business networks, and employing secure remote access methods like VPNs.