CVE-2025-7769
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-08-07
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tigo_energy | cca | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in Tigo Energy's CCA device at the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called. It allows remote attackers to execute arbitrary commands on the device due to improper handling of user input, especially when default credentials are used.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain unauthorized access to the device, execute arbitrary commands, potentially disrupt services, and expose sensitive data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using default credentials on the affected device, restrict access to the /cgi-bin/mobile_api endpoint, and monitor for any unauthorized command execution attempts. Applying any available patches or updates from the vendor is also recommended.