CVE-2025-29756

MQTT implementation in Sungrow iSolarCloud allowed users to subscribe to all data of all connected inverters

CVE CVE-2025-29756
Title MQTT implementation in Sungrow iSolarCloud allowed users to subscribe to all data of all connected inverters
Case DIVD-2025-00009
Credits
Affected products
Product Affected Unaffected Unknown
SunGrow iSolarCloud >= 0 to < 7 June 2025 (custom)
everything else
CVSS
Base score 8.3 - HIGH
Attack Vector NETWORK
Attack Complexity> LOW
Attack Requirements NONE
Privileges Required LOW
Confidentiality Impact
Vulnerable system HIGH Subsequent systems HIGH
Integrity Impact
Vulnerable system NONE Subsequent systems NONE
Availability Impact
Vulnerable system NONE Subsequent systems NONE
Safety impact NOT_DEFINED
Automatable YES
Recovery NOT_DEFINED
Value Density NOT_DEFINED
Vulnerability Response effort NOT_DEFINED
Provider Urgency NOT_DEFINED
References
Problem type(s) CWE-862 Missing Authorization
Impact(s) CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
Date published 08 Jun 2025 22:00 UTC
Last modified

Description

SunGrow's back end users system iSolarCloud uses an MQTT service to transport data from the user's connected devices to the user's web browser. 
The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. 
While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received.
An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus recieve all messages from all connected devices.

Solution(s)

iSolarCloud has been patched by SunGrow and the vulnerability is no longer exploitable.

JSON version.