Peter Kariuki

**Name of the Vulnerable Software and Affected Versions** Tigo Energy Cloud Connect Advanced (CCA) (affected versions not specified) **Description** Tigo Energy's Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This allows attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tigo Energy CCA (affected versions not specified) **Description** The Tigo Energy CCA is susceptible to a command injection issue in the `/cgi-bin/mobile api` endpoint when the `DEVICE PING` command is invoked. This allows for remote code execution due to inadequate handling of user input. Exploitation with default credentials could lead to unauthorized access, service disruption, and data exposure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tigo Energy CCA device (affected versions not specified) **Description** The Tigo Energy CCA device is susceptible to insecure session ID generation within its remote API. Session IDs are created using a predictable method based on the current timestamp, potentially allowing attackers to recreate valid session IDs. This, combined with the ability to bypass session ID requirements for specific commands, could grant unauthorized access to sensitive device functions on connected solar optimization systems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.