Critical vulnerabilities reported in Tigo Energy Cloud connect advanced solar management platform
Take action: If you have Tigo Energy Cloud Connect Advanced solar devices, make sure to isolate them from the internet and place them behind firewalls. Then reach out to Tigo Energy for patches.
Learn More
CISA is reporting multiple security vulnerabilities affecting Tigo Energy's Cloud Connect Advanced solar management platform.
Tigo Energy's Cloud Connect Advanced platform is deployed across the global energy sector, serving as backbone technology for smart solar infrastructure in residential installations, community solar farms, and critical energy facilities.
Vulnerabilities summary
- CVE-2025-7768 (CVSS score 9.3) - hard-coded credentials that allow unauthorized users to gain administrative access to the CCA device.
- CVE-2025-7769 (CVSS score 8.7) - command injection flaw located in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is executed. This vulnerability allows remote code execution due to improper handling of user input, enabling attackers to execute arbitrary commands on compromised devices.
- CVE-2025-7770 (CVSS score 8.7) - affects the session ID generation mechanism in the device's remote API. Session identifiers are created using predictable methods based on current timestamps, allowing sophisticated attackers to recreate valid session IDs and circumvent authentication requirements.
Tigo Energy has acknowledged awareness of these security flaws and is actively developing fixes to address all identified vulnerabilities. No timeline for patch availability has been disclosed, leaving deployed systems potentially vulnerable until updates become available.
CISA recommends mitigations to minimize network exposure for all control system devices by ensuring they are not directly accessible from the internet, locate control system networks and remote devices behind properly configured firewalls and isolate isolating them from business networks.
