CVE-2025-15573

CRITICAL

SolaX Cloud - Man-in-the-Middle

Title source: llm

Description

The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a man-in-the-middle position to act as the legitimate MQTT server and issue arbitrary commands to devices.

References (1)

[Various Sources] https://r.sec-consult.com/solax

Scores

CVSS v3 9.4

EPSS 0.0001

EPSS Percentile 1.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (5)

SolaX Power/Pocket WiFi 3.0 <3.022.03

SolaX Power/Pocket WiFi 4.0 <003.03

SolaX Power/Pocket WiFi+4GM <1.005.05

SolaX Power/Pocket WiFi+LAN <1.009.02

SolaX Power/Pocket WiFi+LAN 2.0 <006.06

Published Feb 12, 2026

Tracked Since Feb 18, 2026