CVE-2025-15574 (GCVE-0-2025-15574)

Vulnerability from cvelistv5 – Published: 2026-02-12 10:58 – Updated: 2026-02-12 15:15
VLAI?
Title
Insecure Credential Generation for Solax Power Pocket WiFi models MQTT Cloud Connection
Summary
When connecting to the Solax Cloud MQTT server the username is the "registration number", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the "registration number" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
References
Impacted products
Vendor Product Version
SolaX Power Pocket WiFi 3.0 Affected: <3.022.03
Create a notification for this product.
Credits
Stefan Viehböck, SEC Consult Vulnerability Lab
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-15574",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T15:15:40.976873Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-12T15:15:45.817Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi 3.0",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c3.022.03"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi+LAN",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c1.009.02"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi+4GM",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c1.005.05"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi+LAN 2.0",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c006.06"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi 4.0",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c003.03"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Stefan Viehb\u00f6ck, SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When connecting to the Solax Cloud MQTT server the username is the \"registration number\", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the \"registration number\" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.\u003cbr\u003e"
            }
          ],
          "value": "When connecting to the Solax Cloud MQTT server the username is the \"registration number\", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the \"registration number\" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330 Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-12T10:58:29.373Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "url": "https://r.sec-consult.com/solax"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vendor provides patches for the affected Pocket models which can be obtained throw their customer\u0027s Solax Cloud account and using the Pocket firmware upgrade function there.\u003cbr\u003e\u003cbr\u003eAs of February 10, 2026, the firmware versions for each affected Pocket model are as follows according to the vendor:\u003cbr\u003e1. Pocket WiFi 3.0 \u2013 (3.022.03)\u003cbr\u003e2. Pocket WiFi+LAN \u2013 (1.009.02)\u003cbr\u003e3. Pocket WiFi+4GM \u2013 (1.005.05)\u003cbr\u003e4. Pocket WiFi+LAN 2.0 \u2013 (006.06)\u003cbr\u003e5. Pocket WiFi 4.0 \u2013 (003.03)\u003cbr\u003e\u003cbr\u003eThe vendor provided the following further information regarding EV Charger and Adapter Box:\u003cbr\u003e1. EV Charger: The WiFi module firmware supports digital signature, but only one-way authentication is implemented.\u003cbr\u003e2. Adapter Box: The WiFi module firmware supports two-way authentication and digital signature.\u003cbr\u003e"
            }
          ],
          "value": "The vendor provides patches for the affected Pocket models which can be obtained throw their customer\u0027s Solax Cloud account and using the Pocket firmware upgrade function there.\n\nAs of February 10, 2026, the firmware versions for each affected Pocket model are as follows according to the vendor:\n1. Pocket WiFi 3.0 \u2013 (3.022.03)\n2. Pocket WiFi+LAN \u2013 (1.009.02)\n3. Pocket WiFi+4GM \u2013 (1.005.05)\n4. Pocket WiFi+LAN 2.0 \u2013 (006.06)\n5. Pocket WiFi 4.0 \u2013 (003.03)\n\nThe vendor provided the following further information regarding EV Charger and Adapter Box:\n1. EV Charger: The WiFi module firmware supports digital signature, but only one-way authentication is implemented.\n2. Adapter Box: The WiFi module firmware supports two-way authentication and digital signature."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Credential Generation for Solax Power Pocket WiFi models MQTT Cloud Connection",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2025-15574",
    "datePublished": "2026-02-12T10:58:29.373Z",
    "dateReserved": "2026-02-09T09:43:51.017Z",
    "dateUpdated": "2026-02-12T15:15:45.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-15574\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2026-02-12T11:15:49.117\",\"lastModified\":\"2026-02-12T16:16:02.980\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When connecting to the Solax Cloud MQTT server the username is the \\\"registration number\\\", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the \\\"registration number\\\" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-330\"}]}],\"references\":[{\"url\":\"https://r.sec-consult.com/solax\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-15574\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-12T15:15:40.976873Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-12T15:15:34.044Z\"}}], \"cna\": {\"title\": \"Insecure Credential Generation for Solax Power Pocket WiFi models MQTT Cloud Connection\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Stefan Viehb\\u00f6ck, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-21\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-21 Exploitation of Trusted Identifiers\"}]}], \"affected\": [{\"vendor\": \"SolaX Power\", \"product\": \"Pocket WiFi 3.0\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c3.022.03\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"SolaX Power\", \"product\": \"Pocket WiFi+LAN\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c1.009.02\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"SolaX Power\", \"product\": \"Pocket WiFi+4GM\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c1.005.05\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"SolaX Power\", \"product\": \"Pocket WiFi+LAN 2.0\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c006.06\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"SolaX Power\", \"product\": \"Pocket WiFi 4.0\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c003.03\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor provides patches for the affected Pocket models which can be obtained throw their customer\u0027s Solax Cloud account and using the Pocket firmware upgrade function there.\\n\\nAs of February 10, 2026, the firmware versions for each affected Pocket model are as follows according to the vendor:\\n1. Pocket WiFi 3.0 \\u2013 (3.022.03)\\n2. Pocket WiFi+LAN \\u2013 (1.009.02)\\n3. Pocket WiFi+4GM \\u2013 (1.005.05)\\n4. Pocket WiFi+LAN 2.0 \\u2013 (006.06)\\n5. Pocket WiFi 4.0 \\u2013 (003.03)\\n\\nThe vendor provided the following further information regarding EV Charger and Adapter Box:\\n1. EV Charger: The WiFi module firmware supports digital signature, but only one-way authentication is implemented.\\n2. Adapter Box: The WiFi module firmware supports two-way authentication and digital signature.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The vendor provides patches for the affected Pocket models which can be obtained throw their customer\u0027s Solax Cloud account and using the Pocket firmware upgrade function there.\u003cbr\u003e\u003cbr\u003eAs of February 10, 2026, the firmware versions for each affected Pocket model are as follows according to the vendor:\u003cbr\u003e1. Pocket WiFi 3.0 \\u2013 (3.022.03)\u003cbr\u003e2. Pocket WiFi+LAN \\u2013 (1.009.02)\u003cbr\u003e3. Pocket WiFi+4GM \\u2013 (1.005.05)\u003cbr\u003e4. Pocket WiFi+LAN 2.0 \\u2013 (006.06)\u003cbr\u003e5. Pocket WiFi 4.0 \\u2013 (003.03)\u003cbr\u003e\u003cbr\u003eThe vendor provided the following further information regarding EV Charger and Adapter Box:\u003cbr\u003e1. EV Charger: The WiFi module firmware supports digital signature, but only one-way authentication is implemented.\u003cbr\u003e2. Adapter Box: The WiFi module firmware supports two-way authentication and digital signature.\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/solax\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When connecting to the Solax Cloud MQTT server the username is the \\\"registration number\\\", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the \\\"registration number\\\" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"When connecting to the Solax Cloud MQTT server the username is the \\\"registration number\\\", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the \\\"registration number\\\" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-330\", \"description\": \"CWE-330 Use of Insufficiently Random Values\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2026-02-12T10:58:29.373Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-15574\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-12T15:15:45.817Z\", \"dateReserved\": \"2026-02-09T09:43:51.017Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2026-02-12T10:58:29.373Z\", \"assignerShortName\": \"SEC-VLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.