CVE-2025-36747
Analyzed Analyzed - Analysis Complete

BaseFortify

Vulnerability report for CVE-2025-36747, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-13

Last updated on: 2026-01-14

Assigner: Dutch Institute for Vulnerability Disclosure

Description

ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-13
Last Modified
2026-01-14
Generated
2026-07-06
AI Q&A
2025-12-13
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
growatt shine_lan-x_firmware From 3.6.0.0 (inc) to 3.6.0.2 (exc)
growatt shine_lan-x *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves ShineLan-X firmware containing embedded FTP server credentials, which allows testers or attackers to establish an insecure FTP connection. Because the firmware does not enforce signature verification, an attacker could replace legitimate files with malicious versions during deployment.

Impact Analysis

An attacker exploiting this vulnerability could replace legitimate firmware files with malicious ones, potentially compromising device integrity, leading to unauthorized control, data breaches, or disruption of device functionality.

Mitigation Strategies

Immediate steps to mitigate this vulnerability include disabling or restricting FTP access to the affected devices, especially avoiding use of insecure FTP connections. Additionally, ensure that firmware updates are obtained from trusted sources and verify firmware integrity manually if automatic signature verification is not enforced. Consider replacing or patching the firmware to remove embedded credentials and enforce secure update mechanisms.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36747. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart