DIVD-2025-00015 - Various vulnerabilities found in SolaX Cloud platform for solarpanel inverters
| Our reference | DIVD-2025-00015 |
| Case lead | Max van der Horst |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | N/A |
| Patch status | Unavailable |
| Workaround | No workaround available |
| Status | Closed |
| Last modified | 10 Sep 2025 11:44 CEST |
Summary
SolaX Cloud is a cloud platform that allows owners of SolaX solarpanel inverters to manage their inverters through the cloud. DIVD has received a vulnerability report from a researcher at ENCS with a number of vulnerabilities of which at least one is considered critical. SolaX has fixed these vulnerabilities in SolaX Cloud version 6.9.
What you can do
As this is an online service, you do not have to take any action right now.
What we are doing
As this regards an online service, there are no on-premises systems to scan. DIVD verified that the vulnerabilities have been patched.
Timeline
| Date | Description |
|---|---|
| 08 Apr 2025 | Vulnerabilities disclosed to DIVD. |
| 08 Apr 2025 | First attempt to disclose to vendor via email (info@solaxpower.com). |
| 14 Apr 2025 | Second attempt to disclose to vendor through contact with SolaX Power director Benelux. |
| 22 Apr 2025 | Third attempt to disclose to vendor through contact with SolaX Power director Benelux. |
|
22 Apr 2025- 24 Apr 2025 |
Fourth attempt to disclose to vendor via email, ticket closed without reply (service@solaxpower.com, ticket number 382458). |
|
30 Apr 2025- 02 May 2025 |
Fifth attempt to disclose to vendor via email, reply promised by servicedesk before May 8th. Ticket closed (service@solaxpower.com, ticket number 389793). |
| 08 May 2025 | First version of this casefile alongside limited disclosure preparations sent to SolaX Power. |
|
08 Apr 2025- 15 May 2025 |
Solax confirms receipt of the vulnerabilities. |
|
08 Apr 2025- 26 May 2025 |
Solax acknowledges the vulnerabilities. |
|
15 May 2025- 27 Jun 2025 |
Time to remediation |
| 10 Sep 2025 | Case closed. |
gantt
title DIVD-2025-00015 - Various vulnerabilities found in SolaX Cloud platform for solarpanel inverters
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2025-00015 - Various vulnerabilities found in SolaX Cloud platform for solarpanel inverters (155 days) :2025-04-08, 2025-09-10
section Events
Vulnerabilities disclosed to DIVD. : milestone, 2025-04-08, 0d
First attempt to disclose to vendor via email (info@solaxpower.com). : milestone, 2025-04-08, 0d
Second attempt to disclose to vendor through contact with SolaX Power director Benelux. : milestone, 2025-04-14, 0d
Third attempt to disclose to vendor through contact with SolaX Power director Benelux. : milestone, 2025-04-22, 0d
Fourth attempt to disclose to vendor via email, ticket closed without reply (service@solaxpower.com, ticket number 382458). (2 days) : 2025-04-22, 2025-04-24
Fifth attempt to disclose to vendor via email, reply promised by servicedesk before May 8th. Ticket closed (service@solaxpower.com, ticket number 389793). (2 days) : 2025-04-30, 2025-05-02
First version of this casefile alongside limited disclosure preparations sent to SolaX Power. : milestone, 2025-05-08, 0d
Solax confirms receipt of the vulnerabilities. (37 days) : 2025-04-08, 2025-05-15
Solax acknowledges the vulnerabilities. (48 days) : 2025-04-08, 2025-05-26
Time to remediation (43 days) : 2025-05-15, 2025-06-27
Case closed. : milestone, 2025-09-10, 0d