Skip to main content

Acrel Electrical Prepaid Cloud Platform CVE-2026-5601

| EUVDEUVD-2026-19132 MEDIUM
Information Exposure (CWE-200)
2026-04-05 cna@vuldb.com GHSA-ccgx-m3fq-gwcq
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 05, 2026 - 22:22 euvd
EUVD-2026-19132
Analysis Generated
Apr 05, 2026 - 22:22 vuln.today
CVE Published
Apr 05, 2026 - 22:16 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was found in Acrel Electrical Prepaid Cloud Platform 1.0. This issue affects some unknown processing of the file /bin.rar of the component Backup File Handler. The manipulation results in information disclosure. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Remote information disclosure in Acrel Electrical Prepaid Cloud Platform 1.0 allows unauthenticated attackers to access sensitive data via the backup file handler component at /bin.rar with low attack complexity. Publicly available exploit code exists for this vulnerability, and the vendor did not respond to early disclosure notifications, leaving no patch available.

Technical ContextAI

The vulnerability resides in the Backup File Handler component of the Acrel Electrical Prepaid Cloud Platform, specifically through improper access controls on the /bin.rar file endpoint. This represents a classic information disclosure flaw (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) where backup files containing potentially sensitive system or configuration data are exposed via a web-accessible path without proper authentication or authorization checks. The remote network-based attack vector combined with no authentication requirement (PR:N in CVSS v4.0) indicates the endpoint is directly reachable and processable by any remote actor without credentials.

RemediationAI

No vendor-released patch identified at time of analysis. Immediate interim mitigations include: restricting network access to the /bin.rar endpoint via firewall rules or web application firewall (WAF) rules to permit only authorized administrative IP ranges; implementing authentication and authorization controls on the backup file handler component; moving backup files to paths not web-accessible; and applying access logs to detect exploitation attempts. Organizations should contact Acrel directly to request security updates, as the vendor did not respond to the original early disclosure. If no patch becomes available and the vulnerability cannot be mitigated through network controls, isolation or decommissioning of affected instances should be considered.

Share

CVE-2026-5601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy