CVE-2025-36747
BaseFortify
Publication date: 2025-12-13
Last updated on: 2026-01-14
Assigner: Dutch Institute for Vulnerability Disclosure
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| growatt | shine_lan-x_firmware | From 3.6.0.0 (inc) to 3.6.0.2 (exc) |
| growatt | shine_lan-x | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves ShineLan-X firmware containing embedded FTP server credentials, which allows testers or attackers to establish an insecure FTP connection. Because the firmware does not enforce signature verification, an attacker could replace legitimate files with malicious versions during deployment.
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate this vulnerability include disabling or restricting FTP access to the affected devices, especially avoiding use of insecure FTP connections. Additionally, ensure that firmware updates are obtained from trusted sources and verify firmware integrity manually if automatic signature verification is not enforced. Consider replacing or patching the firmware to remove embedded credentials and enforce secure update mechanisms.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could replace legitimate firmware files with malicious ones, potentially compromising device integrity, leading to unauthorized control, data breaches, or disruption of device functionality.