Oscar winner Daniel Kaluuya will co-write—and presumably reprise his voice role—in a standalone film following Hobie Brown, last seen in ‘Spider-Man: Across the Spider-Verse.’

Camp Snap, a brand known for its budget-friendly screen-free digital cameras, has announced its first video camera. The new Camp Snap CS-8’s design was inspired by the Super 8mm film cameras released by companies like Kodak and Canon in the ‘60s and ‘70s. Its functionality is similarly limited and streamlined to make the CS-8 user-friendly, […]

Hundreds of uncontrolled wildfires have created a public health hazard across much of North America.

The “spicy’ mode for Grok’s new generative AI video tool feels like a lawsuit waiting to happen. While other video generators like Google’s Veo and OpenAI’s Sora have safeguards in place to prevent users from creating NSFW content and celebrity deepfakes, Grok Imagine is happy to do both simultaneously. In fact, it didn’t hesitate to […]

Lindsay Lohan and Jamie Lee Curtis bring the laughs in a fun but flimsy romp.

Residents in five zip codes across Central Harlem are being advised to seek immediate medical care if they develop flu-like symptoms.

The Google Pixel 9A is a midrange phone done right, offering a great balance of hardware, features, and value. Normally it costs $499, but now you can scoop up the 128GB model for an all-time low of $399 ($100 off) at Amazon, Best Buy, and the Google Store.  The Pixel A-series has long been our […]

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Tigo Energy
• Equipment: Cloud Connect Advanced
• Vulnerabilities: Use of Hard-coded Credentials, Command Injection, Predictable Seed in Pseudo-Random Number Generator (PRNG).

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settings, disrupt solar energy production, interfere with safety mechanisms, execute arbitrary commands via command injection, cause service disruptions, expose sensitive data, and recreate valid session IDs to access sensitive device functions on connected solar inverter systems due to insecure session ID generation.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Cloud Connect Advanced are affected:

• Cloud Connect Advanced: Versions 4.0.1 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Hard-coded Credentials CWE-798

Tigo Energy’s Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms.

CVE-2025-7768 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7768. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) CWE-77

Tigo Energy’s CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.

CVE-2025-7769 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7769. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Predictable Seed in Pseudo-Random Number Generator (PRNG) CWE-337

Tigo Energy’s CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems.

CVE-2025-7770 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7770. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Anthony Rose and Jacob Krasnov of BC Security and Peter Kariuki of Ovanova reported these vulnerabilities to CISA.

4. MITIGATIONS

Tigo Energy is aware of these vulnerabilities and is actively working on a fix to address them.

Visit Tigo Energy’s Help Center for more specific security recommendations.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
• CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• August 5, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 4.1
• ATTENTION: Low attack complexity
• Vendor: Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Electric
• Equipment: ICONICS Product Suite and Mitsubishi Electric MC Works64
• Vulnerability: Windows Shortcut Following (.LNK)

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in information tampering.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ICONICS Product Suite and Mitsubishi Electric MC Works64 are affected:

• GENESIS64: All versions
• GENESIS: Version 11.00
• Mitsubishi Electric MC Works64: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Windows Shortcut Following (.LNK) CWE-64

An information tampering vulnerability due to Windows Shortcut Following exists in multiple processes in GENESIS64, MC Works64, and GENESIS. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. By creating a symbolic link, an attacker can cause the processes to make unauthorized writes to arbitrary files on the file system in any location that is accessible to the user under which the elevated processes are running, resulting in a denial-of-service (DoS) condition on the PC if the modified file is necessary for the operation of the PC.

CVE-2025-7376 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-7376. A base score of 4.1 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Iconics Digital Solutions recommends users upgrade to GENESIS Version 11.01, which contains a fix for this vulnerability. For the highest level of security, it is recommended that users upgrade their system to the latest version and keep it up-to-date with the latest releases. Consult Mitsubishi Electric Iconics Digital Solutions Support for upgrade assistance.

Users who remain on affected versions should be aware of this information tampering vulnerability and take any necessary precautions to keep the system safe from potential attackers such as:

• Configure the PCs with the affected product installed so that only an administrator can log in.
• PCs with the affected product installed should be configured to block remote logins from untrusted networks and hosts, and from non-administrator users.
• Block unauthorized access by using a firewall or virtual private network (VPN), etc., and allow remote login only to administrators when connecting the PCs with the affected product installed to the Internet.
• Restrict physical access to the PC with the affected product installed and the network to which the PC is connected to prevent unauthorized physical access.
• Do not click on web links in emails from untrusted sources. Also, do not open attachments in untrusted emails.

Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommends updating the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here (login required).

For more information, see Mitsubishi Electric’s security advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• August 5, 2025: Initial Publication