ENCS cybersecurity testers uncovered several vulnerabilities in consumer solar inverters widely used in Europe, as part of the work on consumer IoT equipment. We reported these to the Dutch Institute for Vulnerability Disclosure (DIVD) CSIRT to start a responsible vulnerability disclosure process. Six vulnerabilities have now been resolved by the manufacturers.
Resolved vulnerabilities
The following CVEs are published:
🔴 CVE-2025-29756 — A vulnerability in the MQTT service use by the SunGrow central systems that allows attackers to subscribe to any topic.
🔴 CVE-2025-29757 — An incorrect authorisation check in the ‘plant transfer’ function of the Growatt cloud service that allowed a malicious attacker with a valid account to transfer any plant into his/her account.
🔴 CVE-2025-36756 — Device takeover via missing authorization (CVSS v4.0: 5.8 Medium). An attacker can take control of a SolaX inverter if a serial number is known.
🔴 CVE-2025-36757 — Admin login screen bypass via parameter tampering (CVSS v4.0: 6.3 Medium).
🔴 CVE-2025-36758 — Brute-force protection bypass using “Forgot Password” as an oracle (CVSS v4.0: 6.3 Medium).
🔴 CVE-2025-36759 — Sensitive information disclosure: when providing usernames, SolaX Cloud suggests similar accounts and leaks emails and phone numbers (CVSS v4.0: 8.7 High).
These vulnerabilities illustrate the risk of consumer IoT equipment is. Hackers could have exploited these vulnerabilities over the internet without any specialized knowledge of the electricity system. As they affect the central systems, they could have given the attackers access to many connected inverters.
The good news is that this shows that resolving vulnerabilities is possible. We worked closely with DIVD in this, using their responsible vulnerability disclosure process. By fixing the vulnerabilities in the central system, all Growatt and SunGrow inverters are now more secure.
However, there are likely more vulnerabilities in PV inverters that have not yet been found. As such, we hope we can continue this testing program with ENCS members in coming years to structurally improve the security of high-power consumer IoT equipment.
