CVE-2025-7769
published 2025-08-06CVE-2025-7769: Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing…
PriorityP277high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
16.24%
96.5th percentile
Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tigo_energy | cloud_connect_advanced | <= 4.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /cgi-bin/mobile_api containing semicolons or shell metacharacters in the 'cmd' field, particularly with the DEVICE_PING command value, indicating command injection attempts. ↗
- →Public exploit code (Exploit-DB 52404) targets Tigo Energy CCA version 4.0.1 and prior; alert on exploitation attempts against devices running these versions. ↗
- →The exploit uses Content-Type: application/json with a JSON body; correlate this with the specific User-Agent string 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0)' for exploit-tool fingerprinting. ↗
- ·The vulnerability is exploitable with default/hard-coded credentials (CVE-2025-7768 companion vulnerability); exploitation of CVE-2025-7769 in practice leverages these default credentials, so credential hardening is a prerequisite mitigation. ↗
- ·No vendor patch is available as of the advisory date; Tigo Energy is actively working on a fix. Affected versions are 4.0.1 and prior. ↗
- ·Public exploit code is confirmed available for CVE-2025-7769, raising the urgency of network-level mitigations such as isolating the device from internet exposure. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Tigo Energy Cloud Connect Advanced (Update A)
cisa_ics·2025-08-19·CVSS 9.3
[CRITICAL] Tigo Energy Cloud Connect Advanced (Update A)
ICS Advisory
##
Tigo Energy Cloud Connect Advanced (Update A)
Last RevisedAugust 19, 2025
Alert CodeICSA-25-217-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Tigo Energy
- Equipment: Cloud Connect Advanced
- Vulnerabilities: Use of Hard-coded Credentials, Command Injection, Predictable Seed in Pseudo-Random Number Generator (PRNG).
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settin
GHSA
GHSA-crj2-hw3j-xqwx: Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allow
ghsa_unreviewed·2025-08-06
CVE-2025-7769 [HIGH] CWE-77 GHSA-crj2-hw3j-xqwx: Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allow
Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.
No detection rules found.
No writeups or analysis indexed.
2025-08-06
Published