Tigo Energy Cloud Connect Advanced (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-25-217-02Aug 5, 2025

EnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Tigo Energy Cloud Connect Advanced firmware versions 4.0.1 and earlier contain multiple critical vulnerabilities: hard-coded credentials allowing unauthorized administrative access (CWE-798), command injection enabling arbitrary code execution (CWE-77), and insecure session ID generation permitting session hijacking (CWE-337). Successful exploitation allows an attacker to gain full device control, modify system settings, disrupt solar energy production, interfere with safety mechanisms, and expose sensitive data. Tigo Energy is actively working on a fix but has not yet released a patched version.

What this means

What could happen

An attacker with network access to Tigo Cloud Connect Advanced could use hard-coded credentials to gain administrative control of solar inverter systems, allowing them to disrupt energy production, modify safety settings, or execute arbitrary commands on connected equipment.

Who's at risk

Solar energy operators and manufacturers who deploy Tigo Cloud Connect Advanced firmware version 4.0.1 or earlier should care about this risk. The vulnerability affects solar inverter management systems used in utility-scale and distributed solar installations. Any organization managing solar equipment through Tigo's cloud platform is potentially impacted.

How it could be exploited

An attacker remotely discovers a Tigo Cloud Connect Advanced device on the network (port scanning). They authenticate using hard-coded credentials embedded in the firmware. Once authenticated, they inject commands through an unsecured input field or exploit weak session ID generation to escalate privileges and gain full device control.

Prerequisites

Network access to Tigo Cloud Connect Advanced device and port where the web interface or API listens
Knowledge of hard-coded credentials (default username and password)
Device must be reachable from the attacker's network (not isolated behind firewall)

remotely exploitableno authentication required (hard-coded credentials)low complexityno patch available currentlyaffects safety systems (solar inverter operation and safety mechanisms)high CVSS score (9.8)

Exploitability

Some exploitation risk — EPSS score 4.3%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

Cloud Connect Advanced: <=4.0.1≤ 4.0.1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to Tigo Cloud Connect Advanced devices to trusted networks only; implement firewall rules to block unauthorized connections from the internet or untrusted segments.

WORKAROUNDIf the device uses default or hard-coded credentials, document and change any accessible credentials and audit logs for unauthorized access attempts.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Tigo Energy's Help Center and advisory updates for availability of a firmware patch and apply it immediately to version 4.0.2 or later when released.

Mitigations - no patch available

0/2

Cloud Connect Advanced: <=4.0.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlace Tigo Cloud Connect Advanced and connected solar inverter systems on an isolated network segment, separate from general business networks and the internet.

HARDENINGIf remote administrative access is needed, implement a VPN concentrator or jump server with multi-factor authentication and restrict access to authorized personnel only.

CVEs (3)

CVE-2025-7768 CVE-2025-7769 CVE-2025-7770

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/656703e4-15be-49cf-9a40-d8c93758a93e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.