CVE-2025-7770
published 2025-08-06CVE-2025-7770: Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on…
PriorityP353high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.47%
36.9th percentile
Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tigo_energy | cloud_connect_advanced | <= 4.0.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Tigo Energy Cloud Connect Advanced (Update A)
cisa_ics·2025-08-19·CVSS 9.3
[CRITICAL] Tigo Energy Cloud Connect Advanced (Update A)
ICS Advisory
##
Tigo Energy Cloud Connect Advanced (Update A)
Last RevisedAugust 19, 2025
Alert CodeICSA-25-217-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Tigo Energy
- Equipment: Cloud Connect Advanced
- Vulnerabilities: Use of Hard-coded Credentials, Command Injection, Predictable Seed in Pseudo-Random Number Generator (PRNG).
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settin
GHSA
GHSA-gjpw-wr3x-q236: Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API
ghsa_unreviewed·2025-08-06
CVE-2025-7770 [HIGH] CWE-337 GHSA-gjpw-wr3x-q236: Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API
Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-06
Published