Tigo Energy Cloud Connect Advanced Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in Tigo Energy's Cloud Connect Advanced (CCA) device, specifically in versions 4.0.1 and prior. The vulnerability resides in the '/cgi-bin/mobile_api' endpoint, where improper handling of user input allows for remote code execution. When the DEVICE_PING command is invoked, attackers can exploit this vulnerability to execute arbitrary commands on the device. This exploitation could lead to unauthorized access, disruption of services, and exposure of sensitive data, especially when combined with the use of default credentials.

Impact

Exploitation of this vulnerability could result in unauthorized access to the affected device, allowing attackers to execute arbitrary commands. This could lead to unauthorized administrative access, disruption of services, interference with safety mechanisms, and exposure of sensitive data. Additionally, the vulnerability could be used to recreate valid session IDs, granting access to sensitive functions on connected solar inverter systems.

Remediation

Tigo Energy is aware of this vulnerability and is actively working on a fix. For more specific security recommendations, visit Tigo Energy's Help Center.