Growatt Cloud Applications EV Charger Data Exposure Vulnerability

A vulnerability exists in Growatt's cloud portal, all versions through 3.6.0, allowing unauthenticated attackers to access energy consumption data of EV chargers used by other individuals. This issue arises from an authorization bypass, enabling the exploitation of user-controlled keys to retrieve sensitive information without proper authentication.

Impact

Exploitation of this vulnerability could lead to unauthorized access to confidential energy consumption data of users' EV chargers.

Remediation

Growatt has reported that this vulnerability has been patched in the cloud-based portal, and no user action is required. Users are advised to update their devices to the latest firmware version when available, use strong passwords, enable multi-factor authentication where applicable, and report any security concerns to Growatt's service email. CISA recommends minimizing network exposure for control system devices, using firewalls to isolate control system networks from business networks, and employing secure remote access methods like VPNs.