Skip to main content

Sustainable Irrigation Platform CVE-2026-58479

| EUVDEUVD-2026-43690 CRITICAL
OS Command Injection (CWE-78)
2026-07-14 VulnCheck GHSA-j4xr-2mrh-gcch
9.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated (AV:N/PR:N) via absent/default passphrase, but execution is gated on station activation (AC:H); full RCE gives C:H/I:H/A:H with scope unchanged.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 15:34 vuln.today
CVE Published
Jul 14, 2026 - 14:44 cve.org
CRITICAL 9.2

DescriptionCVE.org

Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a command injection vulnerability in the optional cli_control plugin that allows unauthenticated or cross-site request forgery attackers to execute arbitrary operating-system commands by storing a malicious payload via the plugin's HTTP endpoint. Attackers can trigger execution by activating the associated irrigation station, exploiting the absence of passphrase protection or the default passphrase 'opendoor', to achieve arbitrary command execution on the underlying host.

AnalysisAI

Remote command injection in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets unauthenticated or CSRF-driven attackers store a malicious payload via the optional cli_control plugin's HTTP endpoint and execute arbitrary OS commands on the host when the linked irrigation station is activated. Because the plugin ships with no passphrase protection or the well-known default passphrase 'opendoor', exploitation is trivial on default installs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach SIP cli_control HTTP endpoint
Delivery
Submit request with default/no passphrase
Exploit
Store OS command payload
Execution
Irrigation station activation triggers execution
Impact
Arbitrary commands run on host

Vulnerability AssessmentAI

Exploitation Exploitation requires that the optional cli_control plugin is installed and enabled, and that its passphrase protection is either absent or left at the default value 'opendoor' - under those conditions no valid credentials are needed (PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than a paper-tiger high score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request to the cli_control plugin endpoint of an internet- or LAN-reachable SIP instance, using the empty or default 'opendoor' passphrase to store a shell command payload; alternatively they lure an authenticated operator to a malicious web page that submits the same request via CSRF. When the associated irrigation station is next activated, SIP passes the stored payload to the OS shell and the attacker's command runs on the host. …
Remediation No vendor-released fixed version is identified in the provided data, so treat this as: No vendor-released patch identified at time of analysis - monitor the SIP project and the VulnCheck advisory (https://www.vulncheck.com/advisories/sustainable-irrigation-platform-rce-via-cli-control-plugin-command-injection) for a patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, disable or restrict network access to the cli_control plugin HTTP endpoint on all SIP installations running version 5.2.16 or earlier; if disabling is not operationally feasible, implement firewall rules or network segmentation to limit access to trusted sources only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy