Home

Description

When connecting to the Solax Cloud MQTT server the username is the "registration number", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the "registration number" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.

PUBLISHED Reserved 2026-02-09 | Published 2026-02-12 | Updated 2026-02-12 | Assigner SEC-VLab

Problem types

CWE-330 Use of Insufficiently Random Values

Product status

Default status
unaffected

<3.022.03
affected

Default status
unaffected

<1.009.02
affected

Default status
unaffected

<1.005.05
affected

Default status
unaffected

<006.06
affected

Default status
unaffected

<003.03
affected

Credits

Stefan Viehböck, SEC Consult Vulnerability Lab finder

References

r.sec-consult.com/solax

cve.org (CVE-2025-15574)

nvd.nist.gov (CVE-2025-15574)

Download JSON