Tigo Energy Cloud Connect Advanced Insecure Session ID Generation Vulnerability
Vulnerability
A vulnerability exists in Tigo Energy's Cloud Connect Advanced (CCA) device due to insecure session ID generation in the remote API. The session IDs are created using a predictable method based on the current timestamp, which allows attackers to reproduce valid session IDs. This vulnerability is present in versions 4.0.1 and prior. The issue is exacerbated by the ability to bypass session ID requirements for certain commands, leading to unauthorized access to sensitive device functions on connected solar optimization systems.
Impact
Exploitation of this vulnerability could allow unauthorized access to sensitive functions on solar optimization systems by enabling attackers to recreate valid session IDs and bypass session ID requirements for certain commands.
Remediation
Tigo Energy is aware of this vulnerability and is working on a fix. For specific security recommendations, visit Tigo Energy's Help Center.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.