1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Tigo Energy
- Equipment: Cloud Connect Advanced
- Vulnerabilities: Use of Hard-coded Credentials, Command Injection, Predictable Seed in Pseudo-Random Number Generator (PRNG).
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settings, disrupt solar energy production, interfere with safety mechanisms, execute arbitrary commands via command injection, cause service disruptions, expose sensitive data, and recreate valid session IDs to access sensitive device functions on connected solar inverter systems due to insecure session ID generation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Cloud Connect Advanced are affected:
- Cloud Connect Advanced: Versions 4.0.1 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 Use of Hard-coded Credentials CWE-798
Tigo Energy’s Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms.
CVE-2025-7768 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for This article has been indexed from All CISA Advisories