CVE-2025-36758

Bypass of bruteforce protection in SolaX Cloud

CVE

CVE-2025-36758

Title

Bypass of bruteforce protection in SolaX Cloud

Credits

Humza Ahmad (finder)
Max van der Horst (analyst)

Affected products

Product	Affected	Unaffected	Unknown
SolaX Power SolaX Cloud	= before 27-06-2025 ()
SolaX Power SolaX Cloud		everything else

CVSS

Base score	6.3 - MEDIUM
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	PRESENT
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	LOW	Subsequent systems	NONE
Integrity Impact
Vulnerable system	LOW	Subsequent systems	NONE
Availability Impact
Vulnerable system	NONE	Subsequent systems	NONE
Safety impact	NOT_DEFINED
Automatable	NOT_DEFINED
Recovery	NOT_DEFINED
Value Density	NOT_DEFINED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-36758 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2025-00015 ( third-party-advisory )

Problem type(s)

CWE-307 Improper Restriction of Excessive Authentication Attempts

Date published

Last modified

Description

It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the 'Forgot Password' functionality as an oracle.

JSON version.

DIVD CSIRT

CVE-2025-36758

Bypass of bruteforce protection in SolaX Cloud

Description