Details of VAR-202504-0965

ID

VAR-202504-0965

CVE

CVE-2025-27568

TITLE

Growatt Cloud Applications Authorization Bypass Vulnerability (CNVD-2025-14960)

Trust: 0.6

sources: CNVD: CNVD-2025-14960

DESCRIPTION

An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. Growatt Cloud Applications is a monitoring platform of China's Growatt. Growatt Cloud Applications 3.6.0 and earlier versions have an authorization bypass vulnerability that can be exploited by unauthenticated attackers to obtain user emails by knowing the username, resulting in the sending of password reset emails

Trust: 1.44

sources: NVD: CVE-2025-27568 // CNVD: CNVD-2025-14960

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-14960

AFFECTED PRODUCTS

vendor:

growatt

model:

cloud applications

scope:

lte

version:

<=3.6.0

Trust: 0.6

sources: CNVD: CNVD-2025-14960

CVSS

SEVERITY

CVSSV2

CVSSV3

ics-cert@hq.dhs.gov:	CVE-2025-27568
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2025-14960
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-14960
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ics-cert@hq.dhs.gov:	CVE-2025-27568
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-14960 // NVD: CVE-2025-27568

PROBLEMTYPE DATA

problemtype:

CWE-639

Trust: 1.0

sources: NVD: CVE-2025-27568

PATCH

title:

Patch for Growatt Cloud Applications Authorization Bypass Vulnerability (CNVD-2025-14960)

url:

https://www.cnvd.org.cn/patchInfo/show/704616

Trust: 0.6

sources: CNVD: CNVD-2025-14960

EXTERNAL IDS

db:	NVD	id:	CVE-2025-27568	Trust: 1.6
db:	ICS CERT	id:	ICSA-25-105-04	Trust: 1.6
db:	CNVD	id:	CNVD-2025-14960	Trust: 0.6

sources: CNVD: CNVD-2025-14960 // NVD: CVE-2025-27568

REFERENCES

url:

https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04

Trust: 1.6

sources: CNVD: CNVD-2025-14960 // NVD: CVE-2025-27568

SOURCES

db:	CNVD	id:	CNVD-2025-14960
db:	NVD	id:	CVE-2025-27568

LAST UPDATE DATE

2025-07-04T23:21:50.302000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-14960	date:	2025-07-03T00:00:00
db:	NVD	id:	CVE-2025-27568	date:	2025-04-16T13:25:59.640

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-14960	date:	2025-07-03T00:00:00
db:	NVD	id:	CVE-2025-27568	date:	2025-04-15T21:15:55.060