Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Unrestricted file upload vulnerability in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 allows authenticated remote attackers to upload arbitrary files via the /SubstationWEBV2/main/uploadH5Files endpoint, potentially leading to remote code execution or system compromise. The vulnerability is tracked with CVSS 6.3 (moderate severity), publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.
Technical ContextAI
The vulnerability resides in the file upload handler at /SubstationWEBV2/main/uploadH5Files, which fails to properly validate or restrict the 'File' parameter during upload operations. This is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) issue where the application accepts file uploads without enforcing adequate type, size, or content validation. The affected product is a cloud-based enterprise power operation and maintenance platform, meaning the upload handler processes files that may be stored server-side and potentially executed or processed by backend services. The lack of file type restrictions combined with a web-accessible upload endpoint creates a direct path to arbitrary file injection.
RemediationAI
No vendor-released patch is currently available for this vulnerability (RL:X status in CVSS vector). Organizations must implement compensating controls immediately: (1) Restrict access to the /SubstationWEBV2/main/uploadH5Files endpoint to a whitelist of trusted IP addresses or VPN-only networks, reducing the attack surface to insiders or compromised internal accounts; (2) Implement strict file type validation on the server side - reject any file uploads that do not match the expected H5 file format signature (magic bytes), and store uploads in a non-executable directory outside the web root to prevent direct execution; (3) Disable or remove the upload functionality entirely if not actively used, as this eliminates the attack vector; (4) Monitor upload activity and file system changes in the upload directory for suspicious files with executable extensions (.php, .jsp, .exe, .sh, etc.); (5) Enforce strict file permissions on uploaded files (read-only, non-executable) and separate uploaded content from application binaries. Contact Acrel Electrical directly to request a security update and estimated timeline for remediation. References for additional guidance: VulDB record https://vuldb.com/vuln/360865.
Unauthenticated path traversal in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0
SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2 enables remot
SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 allows remote una
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26834