【Security Advisory】MQTT implementation in Sungrow iSolarCloud allowed users to subscribe to inverter data(CVE-2025-29756)
Publish Date: 20250710
Product: iSolarCloud
CVE ID: CVE-2025-29756
Severity: HIGH
Date: [20250710]
PV Inverter
Energy Storage System
EV Charger
Floating PV System
Wind Products
Hydrogen Equipment
Smart Energy products
Description
Sungrow's back end users system iSolarCloud uses an MQTT service to transport data from the user's connected devices to the user's web browser.
The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to.
An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus receive all messages from all connected devices.
Affected Versions
Vulnerable: The iSolarCloud commonService vulnerability, which was remediated on June 7, 2025, had exposed the system to security risks before its mitigation.
Not Affected: The iSolarCloud commonService vulnerability, which was remediated on June 7, 2025, has posed no risk to the system since its resolution.
Vulnerability Rating
CVE-2025-29756:8.4 (/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:Y/V:C)
The scoring is based on the CVSS 4.0 standard. The scoring criteria can be referenced at
Mitigation and Remediation
Recommended Action: The iSolarCloud has been upgraded and repaired on June 7, 2025, without customer action.
Patch Release: N/A.
Temporary Fix: N/A.
Exploitation Status
No known exploitation in the wild.
Acknowledgments
This vulnerability was discovered and reported by Harm van den Brink from DIVD.
Statement
All software updates, patches, and documentation provided by Sungrow Power Supply Co., Ltd. are the proprietary work of Sungrow. These materials may only be used for product maintenance and security improvements. Any unauthorized modification, distribution, decompilation, or reverse engineering is strictly prohibited.
Sungrow makes no express or implied warranties regarding the information provided, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement. Sungrow shall not be liable for any direct, indirect, incidental, or consequential damages arising from the use of this document or associated software.
Sungrow reserves the right to update or modify this document at any time without prior notice. Customers are responsible for implementing security updates in a timely manner to protect their systems.