ScadaWatt Otopilot CVE-2025-4822
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bayraktar Solar Energies ScadaWatt Otopilot allows SQL Injection.
This issue affects ScadaWatt Otopilot: before 27.05.2025.
AnalysisAI
SQL injection in Bayraktar Solar Energies ScadaWatt Otopilot (versions before 27.05.2025) allows remote unauthenticated attackers to manipulate backend database queries over the network. With a CVSS 9.8 rating and full impact across confidentiality, integrity, and availability, successful exploitation can yield complete database compromise of this SCADA solar energy monitoring platform. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Technical ContextAI
ScadaWatt Otopilot is a SCADA (Supervisory Control and Data Acquisition) platform from Bayraktar Solar Energies used to monitor and manage solar energy installations. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL queries without proper parameterization or escaping. In SCADA environments, the backing database typically stores telemetry, device configuration, user credentials, and operational state, making SQLi particularly dangerous because it can pivot from a web-tier flaw into operational technology impact. No CPE strings were provided in the source data, so the exact affected components (specific endpoints, parameters, or auth tier) cannot be enumerated from the public record.
Affected ProductsAI
Bayraktar Solar Energies ScadaWatt Otopilot is affected in all versions before the 27.05.2025 (May 27, 2025) build. No CPE was published in the available data and no specific component or module is named. The Turkish national CERT advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0175 and https://www.usom.gov.tr/bildirim/tr-25-0175 are the authoritative references; no direct vendor advisory URL is included in the source data.
RemediationAI
Patch available per vendor advisory: upgrade ScadaWatt Otopilot to the 27.05.2025 build or later as referenced by USOM TR-25-0175 (https://www.usom.gov.tr/bildirim/tr-25-0175 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0175); contact Bayraktar Solar Energies directly to obtain the fixed release since no public download link is provided. Until patched, restrict network reachability of the ScadaWatt management interface to a management VLAN or jump host and block it from the public internet, which is appropriate for a SCADA system but may interrupt remote operator access. Place a WAF or reverse proxy in front of the application with SQLi signatures enabled (accepting that signature-based filtering can be bypassed and is a stopgap, not a fix), enable database query logging to detect anomalous queries, and audit application database accounts to ensure they run with least privilege so a successful injection cannot drop tables or read unrelated schemas.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today