Syntax: kev:true severity:critical epss:>0.95 vendor:cisco patch:false
Filters
Severity
Exploitation
Data Source
Data Quality
Vendor
CWE — Weakness Type
Clear all
Top 20 matches Showing top matches — use filters or a more specific query to narrow
SunGrow's back end users system iSolarCloud https://isolarcloud.com  uses an MQTT service to transport data from the user's connected devices to the user's web browser.  The MQTT server however did n
CVE-2024-50688
CRITICAL CVSS 9.8
Find Similar
SunGrow iSolarCloud Android application V2.1.6.20241017 and prior contains hardcoded credentials. The application (regardless of the user account) and the cloud uses the same MQTT credentials for exch
SunGrow iSolarCloud Android app V2.1.6.20241017 and prior uses an insecure AES key to encrypt client data (insufficient entropy). This may allow attackers to decrypt intercepted communications between
SunGrow WiNet-SV200.001.00.P027 and earlier versions contains hardcoded MQTT credentials that allow an attacker to send arbitrary commands to an arbitrary inverter. It is also possible to impersonate
The CloudEdge Cloud does not sanitize the MQTT topic input, which could allow an attacker to leverage the MQTT wildcard to receive all the messages that should be delivered to other users by subscribi
The Cloud MQTT service of the affected products supports wildcard topic subscription which could allow an attacker to obtain sensitive information from tapping the service communications.
SunGrow iSolarCloud Android app V2.1.6.20241104 and prior suffers from Missing SSL Certificate Validation. The app explicitly ignores certificate errors and is vulnerable to MiTM attacks. Attackers ca
The devices do not implement any authentication for the web interface or the MQTT server. An attacker who has network access to the device immediately gets administrative access to the devices and can
CVE-2025-15573
CRITICAL CVSS 9.4
Find Similar
The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a m
CVE-2024-50693
CRITICAL CVSS 9.1
Find Similar
SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the userService API model.
A vulnerability, which was classified as problematic, has been found in SunGrow Logger1000 01_A. This issue affects some unknown processing. The manipulation leads to weak password requirements. The a
CVE-2024-50685
CRITICAL CVSS 9.1
Find Similar
SunGrow iSolarCloud before the October 31, 2024 remediation, is vulnerable to insecure direct object references (IDOR) via the powerStationService API model.
CVE-2024-50686
CRITICAL CVSS 9.1
Find Similar
SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the commonService API model.
CVE-2024-50689
CRITICAL CVSS 9.1
Find Similar
SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model.
CVE-2024-46874
CRITICAL CVSS 9.2
Find Similar
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow MQTT clients connecting with device credentials to send messages to some topics. Attackers with device credentials could is
CVE-2024-50687
CRITICAL CVSS 9.1
Find Similar
SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.
In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. T
SunGrow WiNet-SV200.001.00.P027 and earlier versions contains a hardcoded password that can be used to decrypt all firmware updates.
An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations un
CVE-2026-50083
CRITICAL CVSS 9.1
Find Similar
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.
Page 1+ Next →