VYPR

Shinelan X

by Growatt

CVEs (6)

  • CVE-2025-36751CriDec 13, 2025
    risk 0.61cvss epss 0.00

    Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint.

  • CVE-2025-36747Dec 13, 2025
    risk 0.00cvss epss 0.00

    ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious…

  • CVE-2025-36752Dec 13, 2025
    risk 0.00cvss epss 0.00

    Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all…

  • CVE-2025-36748Dec 13, 2025
    risk 0.00cvss epss 0.00

    ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s…

  • CVE-2025-36750Dec 13, 2025
    risk 0.00cvss epss 0.00

    ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run…

  • CVE-2025-36753Dec 13, 2025
    risk 0.00cvss epss 0.00

    The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device