Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated (AV:N/PR:N) via absent/default passphrase, but execution is gated on station activation (AC:H); full RCE gives C:H/I:H/A:H with scope unchanged.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a command injection vulnerability in the optional cli_control plugin that allows unauthenticated or cross-site request forgery attackers to execute arbitrary operating-system commands by storing a malicious payload via the plugin's HTTP endpoint. Attackers can trigger execution by activating the associated irrigation station, exploiting the absence of passphrase protection or the default passphrase 'opendoor', to achieve arbitrary command execution on the underlying host.
AnalysisAI
Remote command injection in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets unauthenticated or CSRF-driven attackers store a malicious payload via the optional cli_control plugin's HTTP endpoint and execute arbitrary OS commands on the host when the linked irrigation station is activated. Because the plugin ships with no passphrase protection or the well-known default passphrase 'opendoor', exploitation is trivial on default installs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the optional cli_control plugin is installed and enabled, and that its passphrase protection is either absent or left at the default value 'opendoor' - under those conditions no valid credentials are needed (PR:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue rather than a paper-tiger high score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted HTTP request to the cli_control plugin endpoint of an internet- or LAN-reachable SIP instance, using the empty or default 'opendoor' passphrase to store a shell command payload; alternatively they lure an authenticated operator to a malicious web page that submits the same request via CSRF. When the associated irrigation station is next activated, SIP passes the stored payload to the OS shell and the attacker's command runs on the host. … |
| Remediation | No vendor-released fixed version is identified in the provided data, so treat this as: No vendor-released patch identified at time of analysis - monitor the SIP project and the VulnCheck advisory (https://www.vulncheck.com/advisories/sustainable-irrigation-platform-rce-via-cli-control-plugin-command-injection) for a patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, disable or restrict network access to the cli_control plugin HTTP endpoint on all SIP installations running version 5.2.16 or earlier; if disabling is not operationally feasible, implement firewall rules or network segmentation to limit access to trusted sources only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated
Arbitrary file write in Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers plant JSON files outs
Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute sta
Server-side request forgery in Sustainable Irrigation Platform (SIP) through version 5.2.16 allows unauthenticated netwo
Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remo
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43690
GHSA-j4xr-2mrh-gcch