Skip to main content

Acrel ECEMS Enterprise CVE-2026-7694

| EUVDEUVD-2026-26832 MEDIUM
SQL Injection (CWE-89)
2026-05-03 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 12:30 vuln.today
Severity Changed
May 03, 2026 - 12:22 NVD
HIGH MEDIUM
CVSS changed
May 03, 2026 - 12:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
PoC Detected
May 03, 2026 - 12:15 vuln.today
Public exploit code
EUVD ID Assigned
May 03, 2026 - 12:00 euvd
EUVD-2026-26832
Analysis Generated
May 03, 2026 - 12:00 vuln.today
CVE Published
May 03, 2026 - 11:45 nvd
MEDIUM 5.5

DescriptionCVE.org

A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0 allows remote unauthenticated attackers to manipulate the fCircuitids parameter in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint, leading to unauthorized database queries and potential information disclosure. Publicly available exploit code exists and the vulnerability affects a widely used industrial energy management system with no vendor response or patch confirmation.

Technical ContextAI

The vulnerability exists in a web application endpoint (/SubstationWEBV2/main/elecMaxMinAvgValue) that processes the fCircuitids parameter without proper input validation or parameterized queries. This is a classic CWE-89 SQL injection flaw where user-supplied input is concatenated directly into SQL statements executed against the backend database. The ECEMS system is an enterprise-grade microgrid management platform that controls critical energy distribution infrastructure, making database access a significant operational risk. The attack vector is purely network-based with no authentication required (AV:N/PR:N), and the application likely uses a relational database backend (SQL Server, MySQL, or PostgreSQL) accessible through the compromised parameter.

RemediationAI

No vendor-released patch has been identified; Acrel did not respond to early disclosure notifications. Immediate mitigation requires input validation and parameterized query implementation by deploying a Web Application Firewall (WAF) with SQL injection detection rules to block requests containing SQL metacharacters in the fCircuitids parameter. Restrict network access to the /SubstationWEBV2/main/ endpoint to trusted administrative IP ranges only, using network segmentation or firewall rules. Implement database access controls to ensure the application database user account has minimal privileges (read-only access where possible, no DDL permissions). Enable SQL query logging and set up real-time alerts for suspicious SQL patterns or failed authentication attempts. Organizations should contact Acrel directly at security contact channels to request a patched version; if unavailable within a defined timeframe, consider evaluating alternative SCADA/microgrid management solutions that receive active security support. Each mitigation has trade-offs: WAF rules may block legitimate circuit queries with special characters (test before production); IP restriction limits remote monitoring capability; database read-only mode may break operational features requiring writes.

Share

CVE-2026-7694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy