Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of the component Configuration Handler. The manipulation of the argument File leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Articles & Coverage 1
AnalysisAI
A critical OS command injection vulnerability exists in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0, specifically in the ImportSystemConfiguration.jsp file's Configuration Handler. Attackers can remotely execute arbitrary operating system commands without authentication by manipulating the 'File' parameter. A public proof-of-concept exploit has been disclosed and is available, significantly increasing the risk of active exploitation, though the vendor has not responded to disclosure attempts.
Technical ContextAI
This vulnerability affects the Tiandy Easy7 Integrated Management Platform (cpe:2.3:a:tiandy:easy7_integrated_management_platform:*:*:*:*:*:*:*:*), a management solution for surveillance and security systems. The flaw is classified as CWE-78 (OS Command Injection), occurring in the /Easy7/apps/WebService/ImportSystemConfiguration.jsp endpoint within the Configuration Handler component. The vulnerability allows attackers to inject and execute arbitrary operating system commands by manipulating the 'File' argument during configuration import operations. This type of vulnerability typically arises from insufficient input validation and sanitization before passing user-controlled data to system shell commands or execution functions.
RemediationAI
No official patch or vendor advisory is currently available as Tiandy has not responded to vulnerability disclosure attempts. Until a patch is released, immediately remove or restrict access to the /Easy7/apps/WebService/ImportSystemConfiguration.jsp endpoint through web application firewall rules or reverse proxy configuration. Implement network segmentation to restrict access to the Easy7 management platform from trusted IP addresses only, blocking all internet-facing exposure. Deploy input validation and command injection detection rules at the perimeter. Consider disabling the ImportSystemConfiguration functionality entirely if not business-critical. Monitor system logs for suspicious activity targeting this endpoint and establish compensating detective controls. Organizations should contact Tiandy directly for patch status and consider migrating to alternative platforms if vendor support remains unavailable.
OS command injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows remote unauthenticated attackers to ex
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an authentication bypass in the Device Identifier Handler co
An unrestricted file upload vulnerability exists in the Tiandy Easy7 Integrated Management Platform version 7.17.0, spec
Weak password recovery in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes the `/rest/user/updateUserPassword`
Unauthenticated SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes database contents to remote
SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attacke
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDev
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14410
GHSA-q4p4-47vp-j2h2