Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network parameter injection (AV:N/AC:L/PR:N/UI:N) overwrites config for high integrity impact; changing the listening port yields low availability impact and no confidentiality impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a mass assignment vulnerability that allows unauthenticated attackers to overwrite sensitive configuration settings by supplying arbitrary parameter names in HTTP requests. Attackers can manipulate parameters corresponding to sensitive values such as the passphrase and listening port, and can also achieve the same result through cross-site request forgery due to the absence of adequate request validation.
AnalysisAI
Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated attackers overwrite sensitive settings - including the passphrase and listening port - by injecting arbitrary parameter names into HTTP requests. Because the application binds request parameters directly to internal configuration objects without an allow-list, the same effect can be triggered blindly through cross-site request forgery against an authenticated operator's browser. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The direct attack requires only network reachability to the SIP HTTP interface and no authentication (AV:N/AC:L/PR:N/UI:N) against SIP up to and including version 5.2.16 - the attacker supplies parameter names corresponding to sensitive config values such as the passphrase and listening port, and the vulnerable autobind logic accepts them. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L) and 8.8 base score describe network-reachable, low-complexity, unauthenticated exploitation with high integrity impact and low availability impact - consistent with the description of arbitrary configuration overwrite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the SIP web interface sends a crafted HTTP request containing parameter names matching internal config fields (e.g. the passphrase and listening port), causing the server to overwrite those settings and hand the attacker control of the platform's security state. … |
| Remediation | No vendor-released patch version was identified at time of analysis, so upgrade guidance cannot cite an exact fixed release - monitor the vendor and the VulnCheck advisory (https://www.vulncheck.com/advisories/sustainable-irrigation-platform-mass-assignment-via-http-parameters) and ZeroScience advisory (https://www.zeroscience.mk/#/advisories/ZSL-2026-5997) for a fixed build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, implement network-level access controls to restrict HTTP/HTTPS traffic to SIP administrative interfaces to trusted management networks and IP ranges only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote command injection in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets unauthenticated or CSR
Arbitrary file write in Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers plant JSON files outs
Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute sta
Server-side request forgery in Sustainable Irrigation Platform (SIP) through version 5.2.16 allows unauthenticated netwo
Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remo
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43688
GHSA-6862-8mf9-7vg4