CVE-2025-7770
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-08-07
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tigo_energy | cca_device | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-337 | A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Tigo Energy's CCA device involves insecure session ID generation in their remote API. The session IDs are created using a predictable method based on the current timestamp, which allows attackers to recreate valid session IDs. Additionally, attackers can bypass session ID requirements for certain commands, enabling unauthorized access to sensitive device functions in connected solar optimization systems.
How can this vulnerability impact me? :
This vulnerability can allow attackers to gain unauthorized access to sensitive functions of the solar optimization system devices. This unauthorized access could lead to manipulation or disruption of device operations, potentially affecting the performance, security, and reliability of the connected solar energy systems.