What security vulnerabilities were discovered in the Growatt cloud platform?

Forescout Vedere Labs discovered multiple security vulnerabilities in the Growatt cloud platform as part of their 'SUN:DOWN' security research report. The vulnerabilities affect the platform that manages various smart energy devices including solar inverters, EV chargers, and smart home systems.

What XSS vulnerabilities were found in Growatt's platform?

Two significant XSS vulnerabilities were found: FSCT-2024-0034, a stored XSS vulnerability in the 'server.growatt.com/energy/updatePlant' endpoint allowing authenticated attackers to inject malicious JavaScript code by manipulating plant names; and FSCT-2024-0059, where inadequate server-side input validation allows attackers to inject malicious JavaScript through the 'energy.growatt.com/tuya/editDevName' endpoint. These vulnerabilities exist because Growatt's protection only removes tags while failing to sanitize other dangerous HTML constructs.

How could attackers hijack Growatt user accounts?

Multiple vulnerabilities enable account hijacking: FSCT-2024-0043 allows unauthenticated attackers to obtain email addresses of existing users through the 'server-api.growatt.com/newForgetAPI.do' endpoint. FSCT-2024-0044 enables account takeover by exploiting password reset functionality, where attackers can change a user's registered email address, then trigger a password reset to gain control of the account.

What data exposure vulnerabilities were found in Growatt's EV charger endpoints?

Multiple data exposure vulnerabilities were discovered: FSCT-2024-0051, FSCT-2024-0052, FSCT-2024-0053, FSCT-2024-0060, FSCT-2024-0061, FSCT-2024-0068 allow unauthenticated attackers to access sensitive information about EV chargers through the 'evcharge.growatt.com/ocpp' endpoint. FSCT-2024-0063 enables unauthenticated attackers to query total energy consumption data from EV chargers belonging to arbitrary users through the 'energy.growatt.com/link/' endpoint.

What safety concerns arise from the Growatt vulnerabilities?

Most concerning from a safety perspective, unauthenticated attackers can remotely configure EV chargers through vulnerable APIs. Attackers can retrieve complete configuration details for specific devices, including cleartext 4G and WiFi passwords, and configuration parameters can be modified remotely, potentially leading to physical damage or safety hazards.

When were the vulnerabilities disclosed to Growatt?

All vulnerability details were shared with Growatt on November 27, 2024. Some issues were only fixed on February 27, 2025 (92 days after disclosure), and the remaining vulnerabilities were addressed on March 13, 2025 (107 days after disclosure).

Advisory

Multiple flaws reported in Growatt Cloud Platform

Q: What is the most severe vulnerability found in Growatt's cloud platform?

The most severe vulnerability, tracked as FSCT-2024-0048, allows unauthenticated attackers to manipulate smart home devices by exploiting insecure direct object references (IDORs) in multiple API endpoints. The research identified 11 related IDORs affecting Growatt's systems. With just knowledge of a valid username, attackers can obtain lists of devices belonging to arbitrary user accounts, view and manipulate 'rooms' and 'scenes' configurations, hijack devices by removing them from legitimate owner accounts, and control devices remotely.

published: March 28, 2025

Take action: If you are using Growatt platform, you don't need to do anyting - the patch is already applied. But be mindful that cloud platforms can have a lot of vulnerabilities.

Learn More

Forescout Vedere Labs reports multiple security vulnerabilities discovered in the Growatt cloud platform, which manages various smart energy devices including solar inverters, EV chargers, and smart home systems. These findings are part of the "SUN:DOWN" security research report .

One of the most severe vulnerabilities, tracked as FSCT-2024-0048, allows unauthenticated attackers to manipulate smart home devices by exploiting insecure direct object references (IDORs) in multiple API endpoints. The research identified 11 related IDORs affecting Growatt's systems.

With just knowledge of a valid username, attackers can:

Obtain lists of devices belonging to arbitrary user accounts
View and manipulate "rooms" and "scenes" configurations
Hijack devices by removing them from legitimate owner accounts and associating them with attacker accounts
Control devices remotely, including the ability to turn them on or off

This vulnerability affects multiple endpoints including "energy.growat.com/room/" and "energy.growat.com/smartHome/", enabling unauthorized access to smart home setups and connected devices.

Two significant XSS vulnerabilities were found:

FSCT-2024-0034: A stored XSS vulnerability in the "server.growatt.com/energy/updatePlant" endpoint allows authenticated attackers to inject malicious JavaScript code by manipulating plant names.
FSCT-2024-0059: Due to inadequate server-side input validation, attackers can inject malicious JavaScript through the "energy.growatt.com/tuya/editDevName" endpoint.

The XSS vulnerabilities exist because Growatt's protection only removes <script> tags while failing to sanitize other dangerous HTML constructs like <img src="" onerror="[malicious code]">. When affected users log into the web portal, the attacker's injected code executes in their browser session.

Multiple vulnerabilities enable account hijacking and data leakage:

FSCT-2024-0043: Unauthenticated attackers can obtain email addresses of existing users through the "server-api.growatt.com/newForgetAPI.do" endpoint.
FSCT-2024-0044: Account takeover is possible by exploiting password reset functionality. Attackers can change a user's registered email address, then trigger a password reset to gain control of the account.

Additional data exposure vulnerabilities include:

FSCT-2024-0051, FSCT-2024-0052, FSCT-2024-0053, FSCT-2024-0060, FSCT-2024-0061, FSCT-2024-0068: Unauthenticated attackers can access sensitive information about EV chargers, including energy consumption data, configuration settings, and firmware details through the "evcharge.growatt.com/ocpp" endpoint.
FSCT-2024-0063: Unauthenticated attackers can query total energy consumption data from EV chargers belonging to arbitrary users through the "energy.growatt.com/link/" endpoint.

Most concerning from a safety perspective, unauthenticated attackers can remotely configure EV chargers through vulnerable APIs:

Attackers can retrieve complete configuration details for specific devices, including cleartext 4G and WiFi passwords
Configuration parameters can be modified remotely, potentially leading to physical damage or safety hazards

Growatt has acknowledged and addressed the security vulnerabilities in their cloud platform, with fixes that reportedly don't require changes to deployed inverter hardware. However, the vulnerability disclosure and remediation process with Growatt was notably challenging and less collaborative than industry standards would suggest.

The security researchers initially faced difficulties establishing proper communication channels with Growatt:

They were only able to make contact through a general support email address
The researchers were eventually directed to a contact in China for vulnerability disclosure
All vulnerability details were shared with Growatt on November 27, 2024

Despite multiple follow-ups, Growatt's remediation process was slow:

Some issues were only fixed on February 27, 2025 (92 days after disclosure)
The remaining vulnerabilities were addressed on March 13, 2025 (107 days after disclosure)

Multiple flaws reported in Growatt Cloud Platform

Read More
Samsung makes a second patch for actively exploited …
CISA reports critical flaw in Hitachi Energy Relion …
Multiple critical vulnerabilities reported in Automatic Tank Gauge …
Siemens Automation License Manager vulnerable to remote takeover
CISA warns of vulnerabilities in discontinued LS Electric …