EUVD-2026-20884
GHSA-hh72-xj72-2c38
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5
Analysis
Unauthorized access to directories in Hydrosystem Control System versions prior to 9.8.5 allows unauthenticated remote attackers to read arbitrary files and execute PHP scripts directly against the connected database. Missing authorization enforcement on specific directories enables direct file access and code execution without authentication, creating critical exposure for database manipulation and data exfiltration. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Hydrosystem Control System installations and document current versions; implement network-level access controls (WAF rules, IP whitelisting) to restrict access to vulnerable directories; notify operations and incident response teams. Within 7 days: Contact Hydrosystem vendor for patch availability timeline and interim guidance; if upgrade to version 9.8.5 or later is available, plan and execute in controlled maintenance window with testing. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today