CVE-2025-27938

Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04	Third Party Advisory US Government Resource Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:growatt:cloud_portal:*:*:*:*:*:*:*:*

History

12 Nov 2025, 18:53

Type	Values Removed	Values Added
CPE		cpe:2.3:a:growatt:cloud_portal::::::::
First Time		Growatt Growatt cloud Portal
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04 - Third Party Advisory, US Government Resource, Mitigation

16 Apr 2025, 13:25

Type	Values Removed	Values Added
Summary		(es) Los atacantes no autenticados pueden obtener información restringida sobre las colecciones de dispositivos inteligentes de un usuario (es decir, "salas").

15 Apr 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-15 21:15

Updated : 2025-11-12 18:53

NVD link : CVE-2025-27938

Mitre link : CVE-2025-27938

CVE.ORG link : CVE-2025-27938

JSON object : View

Products Affected

growatt

cloud_portal

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-27938", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-15T21:15:55.273", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04", "tags": ["Third Party Advisory", "US Government Resource", "Mitigation"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., \"rooms\")."}, {"lang": "es", "value": "Los atacantes no autenticados pueden obtener informaci\u00f3n restringida sobre las colecciones de dispositivos inteligentes de un usuario (es decir, \"salas\")."}], "lastModified": "2025-11-12T18:53:57.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:growatt:cloud_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F9CCAE7-5BE3-413B-8375-C83C12FF3A31", "versionEndIncluding": "3.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}