CVE-2025-29756 HIGH

CVE-2025-29756: MQTT implementation in Sungrow iSolarCloud allowed users to subscribe to all data of all connected inverters

Vendor Sungrow

Product iSolarCloud

Weakness CWE-862 · Missing authorization

Published June 11, 2025

Last update June 23, 2025

View on NVD All CVEs

CVSS base score

8.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:Y

What the vulnerability does

01Description

SunGrow's back end users system iSolarCloud https://isolarcloud.com uses an MQTT service to transport data from the user's connected devices to the user's web browser. The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received. An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus recieve all messages from all connected devices.

Key dates

02Disclosure timeline

June 11, 2025 CVE published

June 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-29756 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

CVE-2025-29756: MQTT implementation in Sungrow iSolarCloud allowed users to subscribe to all data of all connected inverters

01Description

02Disclosure timeline

03References

04Related CVE