Which versions of Easy7 Integrated Management Platform are affected by CVE-2026-4288?

Tiandy Easy7 Integrated Management Platform versions 7.17.0 contain a critical SQL injection vulnerability that allows remote attackers to manipulate database queries without authentication.

Is there a public PoC exploit available for CVE-2026-4288?

Yes, a public proof-of-concept exploit is available for CVE-2026-4288. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-4288?

Within 24 hours: Inventory all systems running Tiandy Easy7 7.17.0 and isolate affected instances from production networks if possible; enable enhanced logging on the /rest/devStatus/getDevDetailedInfo endpoint. Within 7 days: Implement WAF rules to block malicious ID parameter payloads; restrict API endpoint access to authorized IP ranges only; conduct vulnerability scan to identify successful exploitation. Within 30 days: Contact Tiandy for patched version availability or plan migration to alternative platform; if patch released, test and deploy immediately.

Easy7 Integrated Management Platform CVE-2026-4288

Q: What is the CVSS score of CVE-2026-4288?

CVE-2026-4288 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-12530 MEDIUM

SQL Injection (CWE-89)

2026-03-17 VulDB

SQLi Easy7 Integrated Management Platform

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

Severity Changed

Apr 22, 2026 - 21:37 NVD

HIGH MEDIUM

CVSS changed

Apr 22, 2026 - 21:37 NVD

7.3 (HIGH) 6.9 (MEDIUM)

PoC Detected

Mar 17, 2026 - 14:20 vuln.today

Public exploit code

EUVD ID Assigned

Mar 17, 2026 - 08:13 euvd

EUVD-2026-12530

Analysis Generated

Mar 17, 2026 - 08:13 vuln.today

CVE Published

Mar 17, 2026 - 00:02 nvd

HIGH 7.3

DescriptionCVE.org

A weakness has been identified in Tiandy Easy7 Integrated Management Platform 7.17.0. The impacted element is an unknown function of the file /rest/devStatus/getDevDetailedInfo of the component Endpoint. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDevDetailedInfo endpoint that allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. The vulnerability enables unauthorized access to, modification of, and disruption of sensitive data, with public exploit code already available. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP request to /rest/devStatus/getDevDetailedInfo

Exploit

Inject SQL payload in ID parameter

Execution

Execute arbitrary SQL queries

Impact

Extract or modify database contents