Skip to main content

ScadaWatt Otopilot CVE-2025-4822

CRITICAL
SQL Injection (CWE-89)
2025-07-24 iletisim@usom.gov.tr
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 16:31 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bayraktar Solar Energies ScadaWatt Otopilot allows SQL Injection.

This issue affects ScadaWatt Otopilot: before 27.05.2025.

AnalysisAI

SQL injection in Bayraktar Solar Energies ScadaWatt Otopilot (versions before 27.05.2025) allows remote unauthenticated attackers to manipulate backend database queries over the network. With a CVSS 9.8 rating and full impact across confidentiality, integrity, and availability, successful exploitation can yield complete database compromise of this SCADA solar energy monitoring platform. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Technical ContextAI

ScadaWatt Otopilot is a SCADA (Supervisory Control and Data Acquisition) platform from Bayraktar Solar Energies used to monitor and manage solar energy installations. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL queries without proper parameterization or escaping. In SCADA environments, the backing database typically stores telemetry, device configuration, user credentials, and operational state, making SQLi particularly dangerous because it can pivot from a web-tier flaw into operational technology impact. No CPE strings were provided in the source data, so the exact affected components (specific endpoints, parameters, or auth tier) cannot be enumerated from the public record.

Affected ProductsAI

Bayraktar Solar Energies ScadaWatt Otopilot is affected in all versions before the 27.05.2025 (May 27, 2025) build. No CPE was published in the available data and no specific component or module is named. The Turkish national CERT advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0175 and https://www.usom.gov.tr/bildirim/tr-25-0175 are the authoritative references; no direct vendor advisory URL is included in the source data.

RemediationAI

Patch available per vendor advisory: upgrade ScadaWatt Otopilot to the 27.05.2025 build or later as referenced by USOM TR-25-0175 (https://www.usom.gov.tr/bildirim/tr-25-0175 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0175); contact Bayraktar Solar Energies directly to obtain the fixed release since no public download link is provided. Until patched, restrict network reachability of the ScadaWatt management interface to a management VLAN or jump host and block it from the public internet, which is appropriate for a SCADA system but may interrupt remote operator access. Place a WAF or reverse proxy in front of the application with SQLi signatures enabled (accepting that signature-based filtering can be bypassed and is a stopgap, not a fix), enable database query logging to detect anomalous queries, and audit application database accounts to ensure they run with least privilege so a successful injection cannot drop tables or read unrelated schemas.

Share

CVE-2025-4822 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy