Encs

**Name of the Vulnerable Software and Affected Versions** SunGrow's back end users system iSolarCloud (affected versions not specified) **Description** The issue concerns the MQTT service used by iSolarCloud to transport data from connected devices to the user's web browser. The MQTT server lacks sufficient restrictions on topic subscriptions, allowing unauthorized access to data. Although the data is encrypted and MQTT credentials are obtained through an API call, an attacker can extract these credentials and the decryption key from the browser. This enables the attacker to subscribe to any topic, including the '#' topic, which would allow them to receive all messages from all connected devices. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.