CVE-2025-36759 is a high-severity vulnerability affecting SolaX Power's SolaX Cloud platform, identified as an exposure of sensitive information (CWE-200). The vulnerability arises from the platform's user account suggestion feature, which, upon receiving input of user names, returns similar user accounts. This behavior inadvertently leaks sensitive personal information, specifically user email addresses and phone numbers, to unauthorized actors. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:N). The impact is confined to confidentiality, with no direct effect on integrity or availability. The vulnerability affects all versions of SolaX Cloud prior to June 27, 2025. Although no known exploits are currently reported in the wild, the ease of exploitation and the nature of the leaked data pose significant privacy and security risks. Attackers can leverage this information for targeted phishing, social engineering, or further attacks against users or the organization. The vulnerability does not require any privileges or user interaction, increasing the risk of automated or large-scale data harvesting. No official patch links are provided yet, indicating that remediation may still be pending or in progress.

For European organizations using SolaX Cloud, this vulnerability presents a substantial risk to user privacy and data protection compliance, particularly under GDPR regulations. The leakage of email addresses and phone numbers can lead to increased phishing attacks, identity theft, and reputational damage. Organizations relying on SolaX Cloud for energy management or monitoring may face indirect operational risks if attackers use the leaked information to target employees or customers. The exposure of personal data could also result in regulatory fines and legal consequences. Given the critical role of energy infrastructure and the increasing integration of cloud-based management systems in Europe, this vulnerability could undermine trust in smart energy solutions and complicate compliance efforts. The absence of authentication and user interaction requirements means attackers can exploit this vulnerability at scale, potentially affecting large user bases across multiple organizations.

European organizations should immediately verify their use of SolaX Cloud and identify affected versions prior to 27 June 2025. Until an official patch is released, organizations should implement network-level controls such as IP whitelisting or VPN access to restrict access to the SolaX Cloud platform. Monitoring and logging of access patterns should be enhanced to detect unusual querying behavior indicative of enumeration attacks. User education on phishing risks should be intensified, given the potential for harvested contact information to be used in social engineering. Organizations should engage with SolaX Power for timely updates and apply patches as soon as they become available. Additionally, consider implementing rate limiting or CAPTCHA mechanisms at the application layer to reduce automated exploitation risks. Where possible, review and adjust privacy settings or disable the user account suggestion feature until the vulnerability is remediated. Finally, conduct a thorough audit of exposed user data and notify affected users in compliance with GDPR breach notification requirements.