CVE-2025-31950

An unauthenticated attacker can obtain EV charger energy consumption information of other users.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04	Third Party Advisory US Government Resource Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:growatt:cloud_portal:*:*:*:*:*:*:*:*

History

12 Nov 2025, 16:17

Type	Values Removed	Values Added
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04 - Third Party Advisory, US Government Resource, Mitigation
CPE		cpe:2.3:a:growatt:cloud_portal::::::::
First Time		Growatt Growatt cloud Portal

16 Apr 2025, 13:25

Type	Values Removed	Values Added
Summary		(es) Un atacante no autenticado puede obtener información sobre el consumo de energía del cargador de vehículos eléctricos de otros usuarios.

15 Apr 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-15 22:15

Updated : 2025-11-12 16:17

NVD link : CVE-2025-31950

Mitre link : CVE-2025-31950

CVE.ORG link : CVE-2025-31950

JSON object : View

Products Affected

growatt

cloud_portal

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-31950", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-15T22:15:27.867", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04", "tags": ["Third Party Advisory", "US Government Resource", "Mitigation"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An unauthenticated attacker can obtain EV charger energy consumption information of other users."}, {"lang": "es", "value": "Un atacante no autenticado puede obtener informaci\u00f3n sobre el consumo de energ\u00eda del cargador de veh\u00edculos el\u00e9ctricos de otros usuarios."}], "lastModified": "2025-11-12T16:17:38.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:growatt:cloud_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F9CCAE7-5BE3-413B-8375-C83C12FF3A31", "versionEndIncluding": "3.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}