Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
OS command injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows remote unauthenticated attackers to execute arbitrary system commands via the 'week' parameter in the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint. The vulnerability has publicly available exploit code and is being actively tracked; the vendor has not responded to disclosure attempts.
Technical ContextAI
The vulnerability exists in the database backup functionality of Easy7's REST API. The /Easy7/rest/systemInfo/updateDbBackupInfo endpoint fails to properly sanitize user-supplied input in the 'week' parameter before passing it to OS command execution functions. This is a classic OS command injection flaw (CWE-78) where attacker-controlled data flows directly into system command execution without input validation or parameterization. The affected product is Tiandy's integrated management platform, a centralized management system for networked surveillance and security devices, which typically runs on Linux servers and accepts remote REST API calls.
RemediationAI
Upgrade Tiandy Easy7 to a patched version released after the vulnerability disclosure if available from Tiandy; no specific patch version is publicly confirmed at this time. Given vendor non-responsiveness, the following compensating controls are recommended: restrict network access to the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint using firewall rules or WAF rules to only trusted administrative IP addresses; disable the updateDbBackupInfo functionality if not required for operations; implement input validation and filtering on the 'week' parameter to reject values containing shell metacharacters (|, &, ;, $, `, etc.); monitor access logs for suspicious requests to this endpoint and alert on failed or unusual backup operations; run the Easy7 service under a non-privileged OS user account with minimal required permissions to limit command execution impact.
A critical OS command injection vulnerability exists in Tiandy Easy7 Integrated Management Platform versions up to 7.17.
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an authentication bypass in the Device Identifier Handler co
An unrestricted file upload vulnerability exists in the Tiandy Easy7 Integrated Management Platform version 7.17.0, spec
Weak password recovery in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes the `/rest/user/updateUserPassword`
Unauthenticated SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes database contents to remote
SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attacke
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDev
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26836