CVE-2025-29756
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-11

Last updated on: 2025-06-12

Assigner: Dutch Institute for Vulnerability Disclosure

Description
SunGrow's back end users system iSolarCloud https://isolarcloud.com  uses an MQTT service to transport data from the user's connected devices to the user's web browser.  The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to.  While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received. An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus recieve all messages from all connected devices.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-11
Last Modified
2025-06-12
Generated
2026-05-06
AI Q&A
2025-06-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-29756
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in SunGrow's iSolarCloud system, which uses an MQTT service to transport data from connected devices to the user's web browser. The MQTT server does not properly restrict the topics a user can subscribe to. An attacker with an iSolarCloud account can extract MQTT credentials and the decryption key from the browser, then use an external program to subscribe to all topics ('#'), allowing them to receive and decrypt all messages from all connected devices.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized access to all data transmitted between connected devices and the user's web browser. An attacker can intercept and decrypt all messages from all devices, potentially exposing sensitive information and compromising the privacy and security of the user's data.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart