Skip to main content

Easy7 Integrated Management Platform CVE-2026-4585

| EUVDEUVD-2026-14410 HIGH
OS Command Injection (CWE-78)
2026-03-23 VulDB GHSA-q4p4-47vp-j2h2
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Severity Changed
Apr 24, 2026 - 16:37 NVD
CRITICAL HIGH
CVSS changed
Apr 24, 2026 - 16:37 NVD
9.8 (CRITICAL) 8.9 (HIGH)
PoC Detected
Mar 23, 2026 - 14:31 vuln.today
Public exploit code
EUVD ID Assigned
Mar 23, 2026 - 11:45 euvd
EUVD-2026-14410
Analysis Generated
Mar 23, 2026 - 11:45 vuln.today
CVE Published
Mar 23, 2026 - 11:15 nvd
CRITICAL 9.8

DescriptionCVE.org

A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of the component Configuration Handler. The manipulation of the argument File leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

A critical OS command injection vulnerability exists in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0, specifically in the ImportSystemConfiguration.jsp file's Configuration Handler. Attackers can remotely execute arbitrary operating system commands without authentication by manipulating the 'File' parameter. A public proof-of-concept exploit has been disclosed and is available, significantly increasing the risk of active exploitation, though the vendor has not responded to disclosure attempts.

Technical ContextAI

This vulnerability affects the Tiandy Easy7 Integrated Management Platform (cpe:2.3:a:tiandy:easy7_integrated_management_platform:*:*:*:*:*:*:*:*), a management solution for surveillance and security systems. The flaw is classified as CWE-78 (OS Command Injection), occurring in the /Easy7/apps/WebService/ImportSystemConfiguration.jsp endpoint within the Configuration Handler component. The vulnerability allows attackers to inject and execute arbitrary operating system commands by manipulating the 'File' argument during configuration import operations. This type of vulnerability typically arises from insufficient input validation and sanitization before passing user-controlled data to system shell commands or execution functions.

RemediationAI

No official patch or vendor advisory is currently available as Tiandy has not responded to vulnerability disclosure attempts. Until a patch is released, immediately remove or restrict access to the /Easy7/apps/WebService/ImportSystemConfiguration.jsp endpoint through web application firewall rules or reverse proxy configuration. Implement network segmentation to restrict access to the Easy7 management platform from trusted IP addresses only, blocking all internet-facing exposure. Deploy input validation and command injection detection rules at the perimeter. Consider disabling the ImportSystemConfiguration functionality entirely if not business-critical. Monitor system logs for suspicious activity targeting this endpoint and establish compensating detective controls. Organizations should contact Tiandy directly for patch status and consider migrating to alternative platforms if vendor support remains unavailable.

Share

CVE-2026-4585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy