Anthony Rose

**Name of the Vulnerable Software and Affected Versions** Packet Power Monitoring and Control Web Interface (affected versions not specified) **Description** The Packet Power Monitoring and Control Web Interface does not enforce authentication mechanisms by default. This could allow unauthorized users to access and manipulate monitoring and control functions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Inverter (affected versions not specified) **Description** The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data. This data includes read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EG4 (affected versions not specified) **Description** The affected product allows firmware updates to be downloaded from EG4’s website, transferred via USB dongles, or installed through EG4’s Monitoring Center (remote, cloud-connected interface) or via a serial connection. These files are installed without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to April 6, 2025 **Description** The product does not limit the number of attempts for entering the correct PIN for a registered product, potentially allowing an attacker to gain unauthorized access using brute-force methods if they have a valid device serial number. The API provides feedback upon successful PIN entry. **Recommendations** Update the product to the version released on or after April 6, 2025.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. (affected versions not specified) **Description** The public-facing product registration endpoint server responds differently based on the status of the serial number (`S/N`) – whether it is valid and unregistered, valid but already registered, or nonexistent in the database. This, combined with the sequential assignment of serial numbers, allows an attacker to gather information about the product registration status of different serial numbers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tigo Energy CCA (affected versions not specified) **Description** The Tigo Energy CCA is susceptible to a command injection issue in the `/cgi-bin/mobile api` endpoint when the `DEVICE PING` command is invoked. This allows for remote code execution due to inadequate handling of user input. Exploitation with default credentials could lead to unauthorized access, service disruption, and data exposure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tigo Energy CCA device (affected versions not specified) **Description** The Tigo Energy CCA device is susceptible to insecure session ID generation within its remote API. Session IDs are created using a predictable method based on the current timestamp, potentially allowing attackers to recreate valid session IDs. This, combined with the ability to bypass session ID requirements for specific commands, could grant unauthorized access to sensitive device functions on connected solar optimization systems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tigo Energy Cloud Connect Advanced (CCA) (affected versions not specified) **Description** Tigo Energy's Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This allows attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.