Details of VAR-202504-0965

ID

VAR-202504-0965

CVE

CVE-2025-27568

TITLE

Growatt New Energy of Cloud portal Vulnerability in user-controlled key authentication evasion in

Trust: 0.8

sources: JVNDB: JVNDB-2025-019750

DESCRIPTION

An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. Growatt New Energy of Cloud portal Exists in a user-controlled key authentication evasion vulnerability.Information may be obtained. Growatt Cloud Applications is a monitoring platform of China's Growatt. Growatt Cloud Applications 3.6.0 and earlier versions have an authorization bypass vulnerability that can be exploited by unauthenticated attackers to obtain user emails by knowing the username, resulting in the sending of password reset emails

Trust: 2.16

sources: NVD: CVE-2025-27568 // JVNDB: JVNDB-2025-019750 // CNVD: CNVD-2025-14960

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-14960

AFFECTED PRODUCTS

vendor:	growatt	model:	cloud portal	scope:	lte	version:	3.6.0	Trust: 1.0
vendor:	growatt new energy	model:	cloud portal	scope:	eq	version:	-	Trust: 0.8
vendor:	growatt new energy	model:	cloud portal	scope:	-	version:	-	Trust: 0.8
vendor:	growatt new energy	model:	cloud portal	scope:	lte	version:	3.6.0 and earlier	Trust: 0.8
vendor:	growatt	model:	cloud applications	scope:	lte	version:	<=3.6.0	Trust: 0.6

sources: CNVD: CNVD-2025-14960 // JVNDB: JVNDB-2025-019750 // NVD: CVE-2025-27568

CVSS

SEVERITY

CVSSV2

CVSSV3

ics-cert@hq.dhs.gov:	CVE-2025-27568
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-019750
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2025-14960
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-14960
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ics-cert@hq.dhs.gov:	CVE-2025-27568
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-019750
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-14960 // JVNDB: JVNDB-2025-019750 // NVD: CVE-2025-27568

PROBLEMTYPE DATA

problemtype:	CWE-639	Trust: 1.0
problemtype:	Avoid authentication with user-controlled keys (CWE-639) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-019750 // NVD: CVE-2025-27568

PATCH

title:

Patch for Growatt Cloud Applications Authorization Bypass Vulnerability (CNVD-2025-14960)

url:

https://www.cnvd.org.cn/patchInfo/show/704616

Trust: 0.6

sources: CNVD: CNVD-2025-14960

EXTERNAL IDS

db:	NVD	id:	CVE-2025-27568	Trust: 3.2
db:	ICS CERT	id:	ICSA-25-105-04	Trust: 2.4
db:	JVN	id:	JVNVU92061889	Trust: 0.8
db:	JVNDB	id:	JVNDB-2025-019750	Trust: 0.8
db:	CNVD	id:	CNVD-2025-14960	Trust: 0.6

sources: CNVD: CNVD-2025-14960 // JVNDB: JVNDB-2025-019750 // NVD: CVE-2025-27568

REFERENCES

url:	https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04	Trust: 2.4
url:	https://jvn.jp/vu/jvnvu92061889/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-27568	Trust: 0.8

sources: CNVD: CNVD-2025-14960 // JVNDB: JVNDB-2025-019750 // NVD: CVE-2025-27568

SOURCES

db:	CNVD	id:	CNVD-2025-14960
db:	JVNDB	id:	JVNDB-2025-019750
db:	NVD	id:	CVE-2025-27568

LAST UPDATE DATE

2025-11-28T03:55:47.265000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-14960	date:	2025-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2025-019750	date:	2025-11-25T05:13:00
db:	NVD	id:	CVE-2025-27568	date:	2025-11-12T15:43:11.787

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-14960	date:	2025-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2025-019750	date:	2025-11-25T00:00:00
db:	NVD	id:	CVE-2025-27568	date:	2025-04-15T21:15:55.060