CVE-2025-15573

CVE-2025-15573: Missing Certificate Validation for Solax Power Pocket WiFi models MQTT Cloud Connection

Vendor Solax Power
Product Pocket WiFi 3.0
Weakness CWE-295
Published February 12, 2026
Last update February 12, 2026

CVSS base score

What the vulnerability does

01Description

The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a man-in-the-middle position to act as the legitimate MQTT server and issue arbitrary commands to devices.

Key dates

02Disclosure timeline

February 12, 2026 CVE published
February 12, 2026 Record updated