Data Exposure Vulnerability in SunGrow's iSolarCloud MQTT Service
CVE-2025-29756

8.3HIGH

Key Information:

Vendor: Sungrow
Status: Isolarcloud
Vendor: CVE Published:; 11 June 2025

What is CVE-2025-29756?

The iSolarCloud backend relies on an MQTT service for transmitting data from connected devices to users. However, the service lacks adequate restrictions, allowing unauthorized subscription to any topic. As a result, attackers with valid iSolarCloud accounts can exploit this weakness to extract MQTT credentials and encryption keys through the browser, granting them access to all messages sent from connected devices. This vulnerability highlights critical lapses in user data protection measures within the MQTT implementation.

Affected Version(s)

iSolarCloud 0 < 7 June 2025

References

https://csirt.divd.nl/CVE-2025-29756

third-party-advisorytechnical-description

https://csirt.divd.nl/DIVD-2025-00009

third-party-advisory

https://isolarcloud.com

product

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025
Vulnerability Reserved
Mar 11, 2025

Credit

Harm van den Brink (DIVD)

Frank Breedijk (DIVD)

ENCS (https://encs.eu/)

Sungrow

What is CVE-2025-29756?

Affected Version(s)

References

CVSS V4

Timeline

Credit