A critical certificate validation failure in SolaX Cloud MQTTS connections allows attackers to perform Man-in-the-Middle attacks and gain unauthorized control over affected energy devices.

Affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server (mqtt001.solaxcloud.com). This allows an unauthenticated attacker in a Man-in-the-Middle position to impersonate the legitimate server and send arbitrary commands to the device.

Successful exploitation allows an attacker to manipulate energy storage or generation parameters, potentially causing hardware damage or disrupting power supply. The CVSS score of 9.4 reflects the critical nature of this flaw, which could lead to physical safety risks or significant operational downtime in industrial or residential settings.

Immediate Action: Apply the latest firmware updates provided by SolaX to ensure that MQTTS certificate validation is strictly enforced.

Proactive Monitoring: Inspect network traffic for unauthorized DNS redirections or suspicious certificate usage related to the solaxcloud.com domain.

Compensating Controls: Isolate IoT and energy management devices on a dedicated, secured VLAN with restricted outbound access to prevent unauthorized network interception.

Public Exploit Available: false

The failure to validate SSL/TLS certificates undermines the security of the entire communication channel. Organizations and homeowners using SolaX equipment must prioritize firmware updates to ensure the integrity of their energy management systems.