Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0 allows remote unauthenticated attackers to manipulate the fCircuitids parameter in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint, leading to unauthorized database queries and potential information disclosure. Publicly available exploit code exists and the vulnerability affects a widely used industrial energy management system with no vendor response or patch confirmation.
Technical ContextAI
The vulnerability exists in a web application endpoint (/SubstationWEBV2/main/elecMaxMinAvgValue) that processes the fCircuitids parameter without proper input validation or parameterized queries. This is a classic CWE-89 SQL injection flaw where user-supplied input is concatenated directly into SQL statements executed against the backend database. The ECEMS system is an enterprise-grade microgrid management platform that controls critical energy distribution infrastructure, making database access a significant operational risk. The attack vector is purely network-based with no authentication required (AV:N/PR:N), and the application likely uses a relational database backend (SQL Server, MySQL, or PostgreSQL) accessible through the compromised parameter.
RemediationAI
No vendor-released patch has been identified; Acrel did not respond to early disclosure notifications. Immediate mitigation requires input validation and parameterized query implementation by deploying a Web Application Firewall (WAF) with SQL injection detection rules to block requests containing SQL metacharacters in the fCircuitids parameter. Restrict network access to the /SubstationWEBV2/main/ endpoint to trusted administrative IP ranges only, using network segmentation or firewall rules. Implement database access controls to ensure the application database user account has minimal privileges (read-only access where possible, no DDL permissions). Enable SQL query logging and set up real-time alerts for suspicious SQL patterns or failed authentication attempts. Organizations should contact Acrel directly at security contact channels to request a patched version; if unavailable within a defined timeframe, consider evaluating alternative SCADA/microgrid management solutions that receive active security support. Each mitigation has trade-offs: WAF rules may block legitimate circuit queries with special characters (test before production); IP restriction limits remote monitoring capability; database read-only mode may break operational features requiring writes.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26832