A vulnerability exists in various SolaX Power Pocket WiFi models due to insecure credential generation for MQTT connections to the SolaX Cloud. The issue arises because the username used for authentication is the 'registration number'—a 10-character string unique to each device. The password is generated from this registration number using a proprietary XOR and transposition algorithm. This flaw allows attackers who know the registration numbers to connect to the MQTT server and impersonate the affected devices, such as dongles or inverters.
Exploitation of this vulnerability allows for unauthorized access to the SolaX Cloud MQTT server, enabling attackers to impersonate devices and potentially issue commands as if they were the legitimate hardware.
To reproduce this vulnerability, obtain the registration number from a SolaX Power Pocket device. Then, use the provided Python script to generate the corresponding password by applying the XOR/transposition algorithm to the registration number. With the registration number as the username and the generated password, connect to the SolaX Cloud MQTT server.
SolaX provides patches for the affected Pocket models, which can be downloaded through the customer's SolaX Cloud account using the Pocket firmware upgrade function. As of February 10, 2026, the latest firmware versions for each affected Pocket model are available.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
