CVE-2025-15574 - Vulnerability Details - OpenCVE

When connecting to the Solax Cloud MQTT server the username is the "registration number", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the "registration number" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Solax	Pocket Wifi 3
Solax Power	Pocket Wifi+4gm Pocket Wifi+lan Pocket Wifi+lan 2.0 Pocket Wifi 4.0

No data.

No data.

References

Link	Providers
https://r.sec-consult.com/solax

History

Thu, 12 Feb 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Solax Solax pocket Wifi 3 Solax Power Solax Power pocket Wifi+4gm Solax Power pocket Wifi+lan Solax Power pocket Wifi+lan 2.0 Solax Power pocket Wifi 4.0
Vendors & Products		Solax Solax pocket Wifi 3 Solax Power Solax Power pocket Wifi+4gm Solax Power pocket Wifi+lan Solax Power pocket Wifi+lan 2.0 Solax Power pocket Wifi 4.0

Thu, 12 Feb 2026 11:15:00 +0000

Type	Values Removed	Values Added
Description		When connecting to the Solax Cloud MQTT server the username is the "registration number", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the "registration number" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.
Title		Insecure Credential Generation for Solax Power Pocket WiFi models MQTT Cloud Connection
Weaknesses		CWE-330
References		https://r.sec-consult.com/solax

MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published: 2026-02-12T10:58:29.373Z

Updated: 2026-02-12T15:15:45.817Z

Reserved: 2026-02-09T09:43:51.017Z

Link: CVE-2025-15574

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-02-12T11:15:49.117

Modified: 2026-02-12T15:10:37.307

Link: CVE-2025-15574

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15574", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2026-02-09T09:43:51.017Z", "datePublished": "2026-02-12T10:58:29.373Z", "dateUpdated": "2026-02-12T15:15:45.817Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Pocket WiFi 3.0", "vendor": "SolaX Power", "versions": [{"status": "affected", "version": "<3.022.03"}]}, {"defaultStatus": "unaffected", "product": "Pocket WiFi+LAN", "vendor": "SolaX Power", "versions": [{"status": "affected", "version": "<1.009.02"}]}, {"defaultStatus": "unaffected", "product": "Pocket WiFi+4GM", "vendor": "SolaX Power", "versions": [{"status": "affected", "version": "<1.005.05"}]}, {"defaultStatus": "unaffected", "product": "Pocket WiFi+LAN 2.0", "vendor": "SolaX Power", "versions": [{"status": "affected", "version": "<006.06"}]}, {"defaultStatus": "unaffected", "product": "Pocket WiFi 4.0", "vendor": "SolaX Power", "versions": [{"status": "affected", "version": "<003.03"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Stefan Viehb\u00f6ck, SEC Consult Vulnerability Lab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "When connecting to the Solax Cloud MQTT server the username is the \"registration number\", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the \"registration number\" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.<br>"}], "value": "When connecting to the Solax Cloud MQTT server the username is the \"registration number\", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the \"registration number\" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters."}], "impacts": [{"capecId": "CAPEC-21", "descriptions": [{"lang": "en", "value": "CAPEC-21 Exploitation of Trusted Identifiers"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "description": "CWE-330 Use of Insufficiently Random Values", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-02-12T10:58:29.373Z"}, "references": [{"url": "https://r.sec-consult.com/solax"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vendor provides patches for the affected Pocket models which can be obtained throw their customer's Solax Cloud account and using the Pocket firmware upgrade function there.<br><br>As of February 10, 2026, the firmware versions for each affected Pocket model are as follows according to the vendor:<br>1. Pocket WiFi 3.0 \u2013 (3.022.03)<br>2. Pocket WiFi+LAN \u2013 (1.009.02)<br>3. Pocket WiFi+4GM \u2013 (1.005.05)<br>4. Pocket WiFi+LAN 2.0 \u2013 (006.06)<br>5. Pocket WiFi 4.0 \u2013 (003.03)<br><br>The vendor provided the following further information regarding EV Charger and Adapter Box:<br>1. EV Charger: The WiFi module firmware supports digital signature, but only one-way authentication is implemented.<br>2. Adapter Box: The WiFi module firmware supports two-way authentication and digital signature.<br>"}], "value": "The vendor provides patches for the affected Pocket models which can be obtained throw their customer's Solax Cloud account and using the Pocket firmware upgrade function there.\n\nAs of February 10, 2026, the firmware versions for each affected Pocket model are as follows according to the vendor:\n1. Pocket WiFi 3.0 \u2013 (3.022.03)\n2. Pocket WiFi+LAN \u2013 (1.009.02)\n3. Pocket WiFi+4GM \u2013 (1.005.05)\n4. Pocket WiFi+LAN 2.0 \u2013 (006.06)\n5. Pocket WiFi 4.0 \u2013 (003.03)\n\nThe vendor provided the following further information regarding EV Charger and Adapter Box:\n1. EV Charger: The WiFi module firmware supports digital signature, but only one-way authentication is implemented.\n2. Adapter Box: The WiFi module firmware supports two-way authentication and digital signature."}], "source": {"discovery": "EXTERNAL"}, "title": "Insecure Credential Generation for Solax Power Pocket WiFi models MQTT Cloud Connection", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T15:15:40.976873Z", "id": "CVE-2025-15574", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:15:45.817Z"}}]}}