Skip to main content

E-LAN Hybrid Recording CVE-2026-9003

| EUVDEUVD-2026-31046 HIGH
SQL Injection (CWE-89)
2026-05-20 twcert GHSA-vp9q-mvq5-jq9m
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Updated
May 20, 2026 - 04:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 20, 2026 - 04:22 vuln.today
cvss_changed
CVSS changed
May 20, 2026 - 04:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
May 20, 2026 - 04:03 vuln.today

DescriptionCVE.org

E-LAN Hybrid Recording System developed by TONNET has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

AnalysisAI

SQL injection in TONNET's E-LAN Hybrid Recording System allows unauthenticated remote attackers to execute arbitrary SQL queries and exfiltrate database contents over the network. The CVSS 4.0 score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, and no public exploit identified at time of analysis. The flaw is reported through TWCERT and affects TONNET's TPR7308 product line per CPE data.

Technical ContextAI

The vulnerability is a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) flaw in TONNET's E-LAN Hybrid Recording System, a digital video recording / surveillance platform commonly deployed in enterprise and critical-infrastructure environments in the Taiwan market. Per CPE 2.3 data the affected product is cpe:2.3:a:tonnet:tpr7308 - the TPR7308 hybrid NVR/DVR appliance, which exposes a web-based management interface. SQL injection at the CWE-89 level typically arises when user-controlled HTTP parameters are concatenated into database queries without parameterized statements or input sanitization, allowing attackers to alter query logic and read arbitrary tables including credential stores, configuration, and recording metadata.

RemediationAI

Primary remediation is to apply the vendor patch referenced in the TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10912-21886-2.html and https://www.twcert.org.tw/tw/cp-132-10911-e6abb-1.html - the exact fixed firmware version was not included in the provided intelligence and must be confirmed directly from those TWCERT pages or TONNET support before deployment. As compensating controls until patching, restrict the TPR7308 web management interface to a dedicated management VLAN or jump-host network and block its HTTP/HTTPS ports at the perimeter so the vulnerable endpoint is not reachable from untrusted networks; this preserves local administrative access at the cost of remote management convenience. Additionally, place a WAF or reverse proxy in front of the device with rules to block common SQL injection patterns in query strings and POST bodies - note this is a brittle mitigation that may break legitimate operator workflows and should not substitute for patching. Rotate any credentials and review database contents that may have been exfiltrated, since SQLi read-only access typically exposes credential hashes and configuration secrets.

Share

CVE-2026-9003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy