Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This affects an unknown part of the file /rest/file/uploadLedImage of the component Endpoint. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
An unrestricted file upload vulnerability exists in the Tiandy Easy7 Integrated Management Platform version 7.17.0, specifically in the /rest/file/uploadLedImage endpoint. This vulnerability allows remote attackers without authentication to upload arbitrary files, potentially leading to remote code execution. A proof-of-concept exploit has been publicly released and the vendor has not responded to disclosure attempts, leaving this vulnerability unpatched and actively exploitable.
Technical ContextAI
The vulnerability affects the Tiandy Easy7 Integrated Management Platform (CPE: cpe:2.3:a:tiandy:easy7_integrated_management_platform:*:*:*:*:*:*:*:*), which appears to be a security/surveillance management system. The flaw is categorized as CWE-434 (Unrestricted Upload of File with Dangerous Type), occurring in the LED image upload functionality at the /rest/file/uploadLedImage endpoint. This type of vulnerability typically occurs when applications fail to properly validate file types, extensions, or content before accepting uploads, allowing attackers to upload executable files or scripts that can be later executed on the server.
RemediationAI
No official patch is available as the vendor has not responded to vulnerability disclosure. Immediate mitigation steps include: 1) Restrict network access to the /rest/file/uploadLedImage endpoint through firewall rules or web application firewall, 2) Implement authentication requirements for file upload functionality if possible through reverse proxy, 3) Monitor for suspicious file uploads and unusual activity on affected systems, 4) Consider disabling the LED image upload feature if not business-critical, 5) Isolate affected systems from critical infrastructure until a patch becomes available. Organizations should monitor vendor channels for future security updates.
A critical OS command injection vulnerability exists in Tiandy Easy7 Integrated Management Platform versions up to 7.17.
OS command injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows remote unauthenticated attackers to ex
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an authentication bypass in the Device Identifier Handler co
Weak password recovery in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes the `/rest/user/updateUserPassword`
Unauthenticated SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes database contents to remote
SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attacke
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDev
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12357