← volver
CVE-2025-15573

Missing Certificate Validation for Solax Power Pocket WiFi models MQTT Cloud Connection

CVSS 9.4 CRITICALEPSS 0.2%CWE-295
Vexday Risk Score
28Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 9.4EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
12 feb 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a man-in-the-middle position to act as the legitimate MQTT server and issue arbitrary commands to devices.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Productos afectados
SolaX Power · Pocket WiFi 3.0SolaX Power · Pocket WiFi 4.0SolaX Power · Pocket WiFi+4GMSolaX Power · Pocket WiFi+LANSolaX Power · Pocket WiFi+LAN 2.0

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://r.sec-consult.com/solax