CVE-2025-15574 is a security vulnerability identified in the SolaX Power Pocket WiFi 3.0 device, specifically affecting versions earlier than 3.022.03. The vulnerability stems from the use of insufficiently random values (CWE-330) in the authentication mechanism connecting the device to the Solax Cloud MQTT server. The authentication process uses a username that is the device's registration number—a 10-character string printed directly on the device and encoded in its QR code. The password is derived from this registration number through a proprietary XOR and transposition algorithm, which does not provide sufficient entropy or unpredictability. Consequently, an attacker who obtains the registration number can compute or guess the password and connect to the MQTT server, impersonating the Pocket WiFi dongle or connected inverters. This impersonation could allow attackers to send false data, disrupt device operation, or interfere with energy management systems relying on these devices. The vulnerability is particularly concerning because the registration number is physically exposed on the device, making it accessible to anyone with physical proximity or access to images of the device. No public exploits have been reported yet, and no official patch links are currently available, though the vendor has presumably reserved the CVE and may release updates. The lack of a CVSS score indicates the need for an independent severity assessment. The weakness in cryptographic design and exposure of authentication credentials make this a significant threat to the integrity and availability of solar power infrastructure using these devices.

For European organizations, especially those deploying SolaX Power Pocket WiFi 3.0 devices and inverters, this vulnerability poses a risk of unauthorized access and control over solar energy equipment. Attackers could impersonate legitimate devices to manipulate data sent to cloud services, potentially causing incorrect energy reporting, disrupting energy production monitoring, or interfering with grid management systems. This could lead to financial losses, operational disruptions, and reduced trust in renewable energy infrastructure. The impact is more pronounced in countries with high solar adoption and where these devices are widely deployed in residential, commercial, or industrial settings. Additionally, compromised devices could be leveraged as entry points into broader network environments, increasing the risk of lateral movement and further compromise. The confidentiality of device credentials is at risk, and the integrity and availability of device communications can be undermined. While no exploits are known in the wild, the ease of obtaining registration numbers and the weak password derivation method increase the likelihood of exploitation once attackers target these devices.

1. Immediate physical security measures should be enforced to prevent unauthorized individuals from accessing or photographing the devices to obtain registration numbers. 2. Organizations should monitor network traffic to and from the Solax Cloud MQTT server for unusual connection attempts or device impersonation indicators. 3. Engage with SolaX Power for firmware updates and apply patches as soon as they become available to address this vulnerability. 4. If possible, disable remote MQTT connections or restrict them via network segmentation and firewall rules to trusted IP addresses only. 5. Implement anomaly detection on device telemetry data to identify suspicious behavior indicative of impersonation or manipulation. 6. Consider deploying additional authentication layers or VPN tunnels for MQTT communications to enhance security beyond the device’s native mechanism. 7. Educate staff and end-users about the risks of exposing device registration numbers publicly, including in photographs or social media posts. 8. For critical infrastructure, evaluate alternative devices or solutions with stronger authentication mechanisms until a secure patch is confirmed.