Summaryinfo

A vulnerability was found in Growatt Cloud Applications up to 3.5.x. It has been declared as problematic. This issue affects some unknown processing. Such manipulation leads to authorization. This vulnerability is traded as CVE-2025-27938. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component. If you want to get best quality of vulnerability data, you may have to visit VulDB.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Growatt Cloud Applications up to 3.5.x. Affected by this issue is some unknown processing. The manipulation with an unknown input leads to a authorization vulnerability. Using CWE to declare the problem leads to CWE-639. The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Impacted is confidentiality. CVE summarizes:

Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").

The advisory is available at cisa.gov. This vulnerability is handled as CVE-2025-27938. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. The technical details are unknown and an exploit is not available.

Upgrading to version 3.6.0 eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Cloud Software

Vendor

• Growatt

Name

• Cloud Applications

Version

• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 3.5

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion