CVE-2025-15573
MQTT Server Certificate Validation Bypass in SolaX Devices Enables Command Injection
Publication date: 2026-02-12
Last updated on: 2026-02-12
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| solax | power_pocket_wifi | 618.00415.00_pocket_wifi_v3.015.02_20240122 |
| solax | power_pocket_wifi | 3.0 |
| solax | power_pocket_wifi | +lan |
| solax | power_pocket_wifi | +4gm |
| solax | power_pocket_wifi | +lan_2.0 |
| solax | power_pocket_wifi | 4.0 |
| solax | inverter_wifi_lan_lte_dongles | * |
| solax | adapter_box | * |
| solax | ev_charger | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-15573 is a security vulnerability affecting various Solax Power Pocket WiFi models and related devices. The issue arises because these devices do not validate the server's TLS certificate when connecting to the SolaX Cloud MQTT server (mqtt001.solaxcloud.com on TCP port 8883)."}, {'type': 'paragraph', 'content': 'This lack of certificate validation allows attackers positioned as man-in-the-middle (MITM) to impersonate the legitimate MQTT server and send arbitrary commands to the affected devices.'}, {'type': 'paragraph', 'content': 'Such attacks can be executed on a large scale using techniques like BGP hijacking or DNS spoofing, enabling attackers to intercept and manipulate MQTT traffic between devices and the cloud server.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including disruption of electric grid operations by repeatedly starting or stopping inverters.
Attackers can issue unauthorized commands to devices, potentially causing physical damage by disabling safety checks or creating harmful operational conditions.
Additionally, attackers may flash malicious firmware due to related vulnerabilities, gaining local network access and further compromising device integrity.
There is no known workaround, so immediate installation of vendor patches is strongly recommended to mitigate these risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by intercepting and analyzing the MQTT traffic between the affected device and the SolaX Cloud MQTT server (mqtt001.solaxcloud.com) on TCP port 8883. Proof-of-concept commands include using iptables and mitmproxy to intercept and manipulate MQTT traffic, which can reveal the lack of server certificate validation.
- Use iptables rules to redirect MQTT traffic for interception.
- Use mitmproxy to capture and analyze the MQTT TLS traffic on port 8883.
What immediate steps should I take to mitigate this vulnerability?
There is no workaround available for this vulnerability. The immediate step to mitigate the risk is to install the vendor-provided patches as soon as possible. Updated firmware versions have been released by the vendor and are available via the Solax Cloud account and the firmware upgrade function.
- Immediately update the affected devices to the latest patched firmware provided by Solax.
- Perform a comprehensive security review of the affected products to identify and address further issues.