EUVD-2026-20886
GHSA-p6w4-7rrj-xwqx
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5
Analysis
SQL injection in Hydrosystem Control System versions before 9.8.5 allows authenticated attackers to execute arbitrary SQL commands via unprotected input parameters across multiple scripts. Exploitation requires low-privilege authentication but no user interaction, enabling attackers to compromise database confidentiality and integrity with potential for full database control. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Hydrosystem Control System deployments and identify running versions; document all users with low-privilege authentication access and review recent account creations or privilege escalations. Within 7 days: Implement network segmentation to restrict database access from Hydrosystem application servers; disable or restrict low-privilege user accounts where operationally feasible; enable SQL query logging and audit all executed commands for suspicious activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today