CVE-2025-36747
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-12-13

Last updated on: 2026-01-14

Assigner: Dutch Institute for Vulnerability Disclosure

Description
ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-13
Last Modified
2026-01-14
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-36747
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
growatt shine_lan-x_firmware From 3.6.0.0 (inc) to 3.6.0.2 (exc)
growatt shine_lan-x *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate steps to mitigate this vulnerability include disabling or restricting FTP access to the affected devices, especially avoiding use of insecure FTP connections. Additionally, ensure that firmware updates are obtained from trusted sources and verify firmware integrity manually if automatic signature verification is not enforced. Consider replacing or patching the firmware to remove embedded credentials and enforce secure update mechanisms.

Executive Summary

This vulnerability involves ShineLan-X firmware containing embedded FTP server credentials, which allows testers or attackers to establish an insecure FTP connection. Because the firmware does not enforce signature verification, an attacker could replace legitimate files with malicious versions during deployment.

Impact Analysis

An attacker exploiting this vulnerability could replace legitimate firmware files with malicious ones, potentially compromising device integrity, leading to unauthorized control, data breaches, or disruption of device functionality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36747. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart