CVE-2025-15574 identifies a cryptographic weakness in the authentication mechanism of the SolaX Power Pocket WiFi 3.0 device when connecting to the Solax Cloud MQTT server. The device uses a 10-character registration number as the username, which is publicly visible on the device label and QR code. The password is generated from this registration number through a proprietary XOR and transposition algorithm that lacks sufficient randomness and cryptographic strength (classified under CWE-330: Use of Insufficiently Random Values). This weak password derivation allows attackers who know or can obtain registration numbers to authenticate to the MQTT server as legitimate devices without requiring any additional credentials or user interaction. Consequently, attackers can impersonate the dongle or connected inverters, potentially injecting false data, disrupting communications, or manipulating device operations. The vulnerability affects all versions of the Pocket WiFi 3.0 firmware prior to 3.022.03. The CVSS v3.1 base score is 6.5 (medium), reflecting network exploitability without privileges or user interaction, and limited impact on confidentiality and integrity but no impact on availability. No patches are currently linked, and no exploits are known in the wild, but the exposure of registration numbers and weak password derivation present a tangible risk to device security and trustworthiness in the Solax ecosystem.

The primary impact of this vulnerability is the potential for attackers to impersonate legitimate SolaX Power Pocket WiFi 3.0 devices and their associated inverters by exploiting weak authentication credentials. This impersonation can lead to unauthorized access to the Solax Cloud MQTT server, enabling attackers to inject false telemetry data, disrupt inverter operations, or manipulate energy production reporting. Such actions could undermine the integrity of energy management systems, cause operational disruptions, and potentially lead to financial losses or grid instability if exploited at scale. Confidentiality is moderately impacted since attackers gain unauthorized access to device communications, but availability is not directly affected. Organizations relying on these devices for solar power monitoring and control may face risks to operational reliability and trust in their energy data. The ease of exploitation—requiring only knowledge of the registration number—raises the likelihood of targeted attacks, especially if registration numbers are exposed or leaked. The absence of known exploits in the wild suggests limited current impact but highlights the need for proactive mitigation.

To mitigate this vulnerability, organizations should immediately upgrade all affected SolaX Power Pocket WiFi 3.0 devices to firmware version 3.022.03 or later once available, as this should address the weak password derivation mechanism. Until patches are deployed, restrict physical and digital access to device registration numbers to prevent attackers from obtaining these credentials. Implement network-level controls such as IP whitelisting or VPN access for connections to the Solax Cloud MQTT server to limit unauthorized access. Monitor MQTT server logs for unusual authentication attempts or device impersonation activities. Consider deploying anomaly detection systems to identify suspicious inverter behavior or data inconsistencies. Engage with SolaX Power support to confirm patch availability and request guidance on secure credential management. Additionally, review and enhance overall IoT device security policies, including device inventory management and credential confidentiality practices, to reduce exposure to similar risks.