Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 allows remote unauthenticated attackers to read, modify, or delete database contents via the fCircuitids parameter in /SubstationWEBV2/main/elecMaxMinAvgValue endpoint. Publicly available exploit code exists (VulDB 360864) with low attack complexity (CVSS AC:L), enabling attackers to compromise confidentiality, integrity, and availability of backend data. EPSS data unavailable; not listed in CISA KEV. Vendor was notified but remains unresponsive, suggesting no official patch timeline.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) in a power operations management web application. The affected endpoint /SubstationWEBV2/main/elecMaxMinAvgValue processes the fCircuitids parameter without proper input validation or parameterized queries, allowing attackers to inject arbitrary SQL commands into backend database queries. EEMS (Enterprise Energy Management System) platforms typically manage electrical substations, energy consumption monitoring, and critical infrastructure data using web-based interfaces with SQL databases (likely MySQL, MSSQL, or Oracle). The vulnerable parameter name suggests it handles circuit IDs for electrical systems, meaning successful exploitation could expose or manipulate operational technology (OT) data including electrical grid configurations, consumption metrics, and control system parameters. CPE string confirms Acrel Electrical as vendor with version 1.3.0 specifically affected.
RemediationAI
Vendor has not responded to vulnerability disclosure and no official patch is available per VulDB submission (https://vuldb.com/submit/803275). Organizations running EEMS 1.3.0 should immediately implement compensating controls: (1) Deploy web application firewall (WAF) with SQL injection signatures to filter requests to /SubstationWEBV2/main/elecMaxMinAvgValue - test thoroughly as aggressive filtering may break legitimate circuit ID queries; (2) Restrict network access to the platform via IP allowlisting for authorized users only, converting AV:N to AV:A - reduces attack surface but impacts remote monitoring capabilities; (3) Place application behind reverse proxy with strict input validation on fCircuitids parameter allowing only alphanumeric circuit identifiers - requires understanding legitimate parameter format to avoid operational disruption; (4) Enable database query logging and implement SIEM alerting for SQL error messages or anomalous query patterns from application account - detection-focused, not preventative; (5) If application architecture permits, reduce database account privileges to read-only for affected endpoint - mitigates I:L and A:L impacts but may break write functionality. Long-term: evaluate migration to alternative vendor platforms given lack of vendor security engagement. Monitor https://vuldb.com/vuln/360864/cti for threat intelligence updates.
Unauthenticated path traversal in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0
SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2 enables remot
Unrestricted file upload vulnerability in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platfor
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26833