Recently, the MQTT protocol, favored for its lightweight nature, has emerged as a preferred choice for IoT communications. However, MQTT brokers—the critical components responsible for message routing— are vulnerable to memory corruption, posing significant security risks. Although several fuzzers have been proposed to uncover memory corruption in brokers, their effectiveness is constrained by two fundamental limitations. First, existing fuzzers struggle to satisfy MQTT’s complex constraints when generating valid test cases. Second, the protocol’s extensive field variations across different packets complicate the mutation process, as existing black-box fuzzers cannot prioritize high-risk fields, leading to blind mutations.

To address these challenges, we propose the Interaction Constraints Model (ICM), designed to finely represent MQTT protocol constraints. Then, we generate test cases following constraints by traversing ICM, ensuring compliant interactions that cover complex scenarios and minimize abnormal connection interruptions. Furthermore, we design a heuristic strategy for mutation energy allocation. By parsing responses in real-time, we adjust the energy allocation dynamically to concentrate on the fields more prone to bugs. Finally, we implement prototype \system, a new framework for MQTT protocol modeling, and efficient MQTT broker fuzzing. We evaluated \system on six widely used MQTT brokers and compared it with state-of-the-art fuzzers. The result shows that \system achieved a 30.88% improvement in compliance interaction within test cases, successfully identified five new vulnerabilities, and reproduced more than 150% known bugs that other fuzzers could not.