Skip to main content

Acrel EEMS Cloud Platform EUVDEUVD-2026-26833

| CVE-2026-7695 MEDIUM
SQL Injection (CWE-89)
2026-05-03 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
May 03, 2026 - 13:22 NVD
HIGH MEDIUM
CVSS changed
May 03, 2026 - 13:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
PoC Detected
May 03, 2026 - 13:16 vuln.today
Public exploit code
Analysis Generated
May 03, 2026 - 13:15 vuln.today
EUVD ID Assigned
May 03, 2026 - 13:00 euvd
EUVD-2026-26833
Analysis Generated
May 03, 2026 - 13:00 vuln.today
CVE Published
May 03, 2026 - 12:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 allows remote unauthenticated attackers to read, modify, or delete database contents via the fCircuitids parameter in /SubstationWEBV2/main/elecMaxMinAvgValue endpoint. Publicly available exploit code exists (VulDB 360864) with low attack complexity (CVSS AC:L), enabling attackers to compromise confidentiality, integrity, and availability of backend data. EPSS data unavailable; not listed in CISA KEV. Vendor was notified but remains unresponsive, suggesting no official patch timeline.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) in a power operations management web application. The affected endpoint /SubstationWEBV2/main/elecMaxMinAvgValue processes the fCircuitids parameter without proper input validation or parameterized queries, allowing attackers to inject arbitrary SQL commands into backend database queries. EEMS (Enterprise Energy Management System) platforms typically manage electrical substations, energy consumption monitoring, and critical infrastructure data using web-based interfaces with SQL databases (likely MySQL, MSSQL, or Oracle). The vulnerable parameter name suggests it handles circuit IDs for electrical systems, meaning successful exploitation could expose or manipulate operational technology (OT) data including electrical grid configurations, consumption metrics, and control system parameters. CPE string confirms Acrel Electrical as vendor with version 1.3.0 specifically affected.

RemediationAI

Vendor has not responded to vulnerability disclosure and no official patch is available per VulDB submission (https://vuldb.com/submit/803275). Organizations running EEMS 1.3.0 should immediately implement compensating controls: (1) Deploy web application firewall (WAF) with SQL injection signatures to filter requests to /SubstationWEBV2/main/elecMaxMinAvgValue - test thoroughly as aggressive filtering may break legitimate circuit ID queries; (2) Restrict network access to the platform via IP allowlisting for authorized users only, converting AV:N to AV:A - reduces attack surface but impacts remote monitoring capabilities; (3) Place application behind reverse proxy with strict input validation on fCircuitids parameter allowing only alphanumeric circuit identifiers - requires understanding legitimate parameter format to avoid operational disruption; (4) Enable database query logging and implement SIEM alerting for SQL error messages or anomalous query patterns from application account - detection-focused, not preventative; (5) If application architecture permits, reduce database account privileges to read-only for affected endpoint - mitigates I:L and A:L impacts but may break write functionality. Long-term: evaluate migration to alternative vendor platforms given lack of vendor security engagement. Monitor https://vuldb.com/vuln/360864/cti for threat intelligence updates.

Share

EUVD-2026-26833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy