Broken Access Control in SolisCloud API Affects User Data Accessibility
CVE-2025-13932

8.3HIGH

Key Information:

Vendor

Soliscloud

Status
Monitoring Platform (cloud Api & Device Control Api)
Vendor
CVE Published:
4 December 2025

What is CVE-2025-13932?

The SolisCloud API is vulnerable to a Broken Access Control issue, specifically an Insecure Direct Object Reference (IDOR). This flaw enables authenticated users to manipulate the 'plant_id' parameter in requests, granting them unauthorized access to sensitive information related to any plant. The misuse of this vulnerability can lead to significant privacy breaches and data integrity risks.

Affected Version(s)

Monitoring Platform (Cloud API & Device Control API) API v1

Monitoring Platform (Cloud API & Device Control API) API v1

Monitoring Platform (Cloud API & Device Control API) API v2

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-3...
government-resource

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

James Gallagher (@5G)
JSON
.
CVE-2025-13932 : Broken Access Control in SolisCloud API Affects User Data Accessibility