Skip to main content

Tiandy Easy7 Integrated Management Platform CVE-2026-4287

| EUVDEUVD-2026-12529 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-17 cna@vuldb.com
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Severity Changed
Apr 22, 2026 - 21:37 NVD
HIGH MEDIUM
CVSS changed
Apr 22, 2026 - 21:37 NVD
7.3 (HIGH) 6.9 (MEDIUM)
EUVD ID Assigned
Mar 17, 2026 - 08:13 euvd
EUVD-2026-12529
Analysis Generated
Mar 17, 2026 - 08:13 vuln.today
CVE Published
Mar 17, 2026 - 00:16 nvd
HIGH 7.3

DescriptionCVE.org

A security flaw has been discovered in Tiandy Easy7 Integrated Management Platform 7.17.0. The affected element is an unknown function of the file /rest/devStatus/queryResources of the component Endpoint. Performing a manipulation of the argument areaId results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows unauthenticated remote attackers to manipulate the areaId parameter in the /rest/devStatus/queryResources endpoint and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Successful exploitation could result in unauthorized data access, modification, or system disruption.

Technical ContextAI

The vulnerability affects Tiandy's Easy7 Integrated Management Platform, which appears to be a device management and monitoring system. The flaw is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which in this case manifests as SQL injection where user-supplied input in the areaId parameter is not properly sanitized before being incorporated into SQL queries. The vulnerable endpoint /rest/devStatus/queryResources likely handles device status queries based on area identifiers, and the lack of input validation allows attackers to inject malicious SQL statements through this parameter.

RemediationAI

As the vendor has not responded to disclosure attempts and no patch is currently available, organizations should implement compensating controls immediately. Deploy a web application firewall (WAF) to filter malicious SQL injection attempts targeting the /rest/devStatus/queryResources endpoint, specifically monitoring and sanitizing the areaId parameter. Consider restricting network access to the Easy7 platform to trusted IP ranges only and implement database activity monitoring to detect potential exploitation attempts. Monitor the VulDB advisory at https://vuldb.com/?id.351292 for updates on vendor response or patch availability.

Share

CVE-2026-4287 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy