Critical Vulnerability in Growatt Cloud Service

Overview 

A severe authorization vulnerability (CVE-2025-29757) has been discovered in the Growatt cloud service, affecting the "plant transfer" functionality. This flaw allows a malicious attacker with a valid account to forcibly transfer any solar power plant into their own account without proper authorization.

With a CVSS-B score of 9.4 (CRITICAL), this vulnerability poses significant risks to Growatt's infrastructure, potentially enabling unauthorized access, data theft, and financial losses for affected users.

Technical Details

The vulnerability stems from an insufficient authorization check in the API or web interface responsible for transferring plants (solar energy systems) between user accounts. The system fails to verify whether the requesting user has legitimate ownership or administrative rights over the target plant before executing the transfer.

Affected Components 

• Growatt cloud service (web and mobile app interfaces)
• Plant management APIs
• User account permission validation system

Attack Scenario 

Step-by-Step Exploitation

1. Attacker Obtains Valid Credentials

   • The attacker either creates a legitimate account or acquires one through phishing/social engineering.

2. Identifying Target Plants

   • The attacker enumerates plant IDs via API calls or web requests (e.g., brute-forcing or inspecting network traffic).

3. Exploiting the Flaw 

   • The attacker sends a crafted HTTP request (e.g., POST /api/plant/transfer) with a target plant ID and their own account ID.
   • Due to the missing authorization check, the server processes the request and transfers the plant.

4. Post-Exploitation Impact

   • The attacker gains full control over the transferred plant, including:
     • Access to energy production data
     • Ability to modify plant settings
     • Potential financial fraud (if the plant is tied to energy credits or billing)

Sample Malicious Request

POST /api/plant/transfer HTTP/1.1  
Host: cloud.growatt.com  
Authorization: Bearer [attacker_valid_token]  
Content-Type: application/json  

{  
   "plant_id": "123456",  
   "new_owner_id": "attacker_account"  
}  

Expected Response (if vulnerable):

{  
   "status": "success",  
   "message": "Plant transfer completed."  
}  

Since the server does not validate if the attacker owns plant_id, the transfer succeeds.

Mitigation & Recommendations 

Growatt has released a patch to address this vulnerability. Users and administrators should:

1. Apply the Latest Update

   • Ensure the Growatt cloud service is updated to the latest version.

2. Implement API Authorization Checks

   • Servers must validate both the session token and ownership rights before processing plant transfers.

3. Monitor Suspicious Activity

   • Audit logs for unexpected plant transfers.
   • Implement rate-limiting and anomaly detection on sensitive API endpoints.

4. User Awareness

   • Advise users to enable multi-factor authentication (MFA) and report suspicious account behavior.

Conclusion

CVE-2025-29757 highlights the dangers of insufficient authorization checks in cloud-based energy management systems. Organizations using Growatt’s services should apply patches immediately and review their security configurations to prevent exploitation.

For further details, refer to Growatt’s official security advisory or contact their support team.