Insecure Session ID Generation in Tigo Energy's CCA Device
CVE-2025-7770

8.7HIGH

Key Information:

Vendor

Tigo Energy

Status
Cloud Connect Advanced
Vendor
CVE Published:
6 August 2025

What is CVE-2025-7770?

The CCA device from Tigo Energy is exposed to a significant security issue caused by predictable session ID generation in its remote API. This flaw allows attackers to recreate valid session IDs based on the current timestamp. If exploited, it provides a pathway for unauthorized access to critical functionalities of connected solar optimization systems, jeopardizing their security and integrity.

Affected Version(s)

Cloud Connect Advanced 0 <= 4.0.1

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-2...
government-resource

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Anthony Rose of BC Security
Jacob Krasnov of BC Security
Peter Kariuki of Ovanova
.
CVE-2025-7770 : Insecure Session ID Generation in Tigo Energy's CCA Device