Rooting the Solar Supply Chain: Hardcoded Credentials and Command Injection in Microgrid Controllers

TLDR: Researchers at DEF CON 2025 exposed a massive supply chain failure in solar power management systems, where supposedly US-made devices are actually rebranded, insecure Chinese hardware. These devices suffer from trivial vulnerabilities like hardcoded credentials, command injection, and insecure session management, allowing for remote power denial. Pentesters should prioritize auditing these IoT gateways, as they often provide a direct, unauthenticated path into critical infrastructure.

The security of our energy infrastructure is currently built on a foundation of sand. While we focus on hardening cloud environments and securing enterprise networks, the physical layer—specifically the microgrid controllers and solar inverters managing power generation—is being deployed with security flaws that would have been considered amateurish a decade ago. Recent research presented at DEF CON 2025 demonstrates that the supply chain for these devices is a disaster, characterized by widespread rebranding of insecure hardware and a complete lack of basic security hygiene.

The Illusion of "Made in the USA"

Many Western companies market solar inverters and monitoring gateways as being designed and manufactured in the United States. In reality, these products are often just rebadged hardware from Chinese manufacturers like LuxPower or Deye. The software running on these devices is equally opaque, frequently containing Chinese-language debugging comments and hardcoded credentials that have been public knowledge for years.

When you encounter these devices on a penetration test, do not assume they are isolated or secure. They are often plugged directly into the internet without a router or firewall in front of them. Because they are designed to phone home to cloud-based monitoring platforms, they act as persistent, unauthenticated backdoors into the networks where they are installed.

Exploiting the Tigo Cloud Connect Advance

The Tigo Cloud Connect Advance (CCA) is a prime example of these systemic failures. It is used to collect data from solar microgrids and manage rapid shutdown compliance. During the research, three distinct vulnerabilities were identified: CVE-2025-7768 (hardcoded credentials), CVE-2025-7769 (command injection), and CVE-2025-7770 (insecure session ID generation).

The hardcoded credentials are a recurring theme. For years, the default username and password for these devices have been shared openly on forums like Photovoltaic Forum. Despite this, the manufacturer has failed to implement any meaningful changes.

The command injection vulnerability is particularly egregious. The DEVICE_PING function in the /cgi-bin/mobile_api endpoint accepts user input for a ping interval but fails to sanitize it. By injecting shell metacharacters, an attacker can achieve remote code execution as root. The following payload demonstrates how simple it is to trigger this:

curl -u Tigo:Solar -H "X-Requested-With: com.tigoenergy.smart" \
-d "PingTimeout=; ping -c 1 192.168.0.2; #" \
http://<target_ip>/cgi-bin/mobile_api

This endpoint is not just a ping utility; it is a covert backdoor. If you provide the correct "magic number" hash, the service will enable SSH access and kill any existing sessions, effectively locking out legitimate users while granting the attacker full control.

Insecure Session Management and Account Takeover

The session management on these devices is equally broken. The session ID generation relies on srand() seeded with the current time, which is predictable. Because the devices are configured to Pacific Time, an attacker can easily synchronize their attempts to guess the session ID.

Even if you cannot guess the session ID, you can perform an account takeover using only the device's serial number. The registration portal does not require any personal information or proof of ownership. By enumerating serial numbers—which are not randomized and often follow predictable patterns—you can register a device that is already in use, reset the password, and gain full control over the monitoring account. This allows an attacker to see exactly when a home is occupied, track power usage patterns, and, most dangerously, send commands to the inverter to shut down power generation.

The Reality of Testing IoT Gateways

When you are tasked with testing these systems, start by identifying the monitoring gateway. Use nmap to scan for open HTTP services. If you find a device that looks like a solar monitoring portal, check the default credentials immediately. If those fail, look for the /cgi-bin/ directory.

The impact of these vulnerabilities is not limited to data theft. Because these devices are responsible for power phasing and safety shutdowns, an attacker with root access can trigger a catastrophic safety failure. In a microgrid, this could mean forcing the system to disconnect from the grid or, in extreme cases, damaging the physical hardware.

Defensive Realities

Defending against these threats requires a shift in how we treat IoT devices. If you are responsible for securing these systems, the first step is to isolate them. Never expose these controllers directly to the internet. Place them behind a robust firewall and restrict access to known, trusted IP addresses.

Disable automatic firmware updates if possible, as these are often the primary vector for remote management and potential exploitation. If you must use remote monitoring, demand that the manufacturer provide documentation on their security practices and, more importantly, proof that they have addressed these OWASP Top 10 vulnerabilities.

The solar industry is growing at an unprecedented rate, but security is being left behind. As researchers and pentesters, we have a responsibility to keep pushing these manufacturers until they stop treating security as an afterthought. If you find these devices on your network, treat them as compromised until you have verified their configuration and locked them down. The next time you see a solar installation, remember that the gateway on the wall might be the easiest way into the entire facility.