CVE-2025-36752 CRITICAL

CVE-2025-36752: Undocumented backup Account and No Password Configuration Capability

Vendor Growatt
Product ShineLan-X
Weakness CWE-798 · Hardcoded credentials
Published December 13, 2025
Last update January 7, 2026

CVSS base score

9.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.

Key dates

02Disclosure timeline

December 13, 2025 CVE published
January 7, 2026 Record updated