Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security flaw has been discovered in Tiandy Easy7 Integrated Management Platform 7.17.0. The affected element is an unknown function of the file /rest/devStatus/queryResources of the component Endpoint. Performing a manipulation of the argument areaId results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows unauthenticated remote attackers to manipulate the areaId parameter in the /rest/devStatus/queryResources endpoint and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Successful exploitation could result in unauthorized data access, modification, or system disruption.
Technical ContextAI
The vulnerability affects Tiandy's Easy7 Integrated Management Platform, which appears to be a device management and monitoring system. The flaw is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which in this case manifests as SQL injection where user-supplied input in the areaId parameter is not properly sanitized before being incorporated into SQL queries. The vulnerable endpoint /rest/devStatus/queryResources likely handles device status queries based on area identifiers, and the lack of input validation allows attackers to inject malicious SQL statements through this parameter.
RemediationAI
As the vendor has not responded to disclosure attempts and no patch is currently available, organizations should implement compensating controls immediately. Deploy a web application firewall (WAF) to filter malicious SQL injection attempts targeting the /rest/devStatus/queryResources endpoint, specifically monitoring and sanitizing the areaId parameter. Consider restricting network access to the Easy7 platform to trusted IP ranges only and implement database activity monitoring to detect potential exploitation attempts. Monitor the VulDB advisory at https://vuldb.com/?id.351292 for updates on vendor response or patch availability.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12529