Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.
AnalysisAI
Unauthenticated SQL injection in Nemon Trade Energy and Nemon Trade Energy CRM allows remote attackers to execute arbitrary SQL queries through the 'two_steps_auth_code' parameter on the '/user-login' endpoint. The 2FA verification flow is reachable without prior authentication, enabling full database compromise; no public exploit identified at time of analysis, but a vendor patch is available per the INCIBE advisory.
Technical ContextAI
The vulnerability is a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) flaw in the 'twoStepsAuthVerification' server-side function of Nemon's Trade Energy and Trade Energy CRM web applications (CPE: cpe:2.3:a:nemon:nemon_trade_energy:*, cpe:2.3:a:nemon:nemon_trade_energy_crm:*). The 'two_steps_auth_code' parameter - intended as a one-time 2FA token check - is concatenated into a backend SQL statement without proper parameterization or input sanitization. Compounding the issue, the 2FA verification endpoint is exposed in the pre-authentication state of the login flow, meaning the SQLi sink can be reached before any credential validation occurs.
RemediationAI
Patch available per vendor advisory - apply the update referenced in the INCIBE-CERT bulletin at https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-nemon-products as the primary remediation; exact fixed version strings were not provided in the input data and should be confirmed directly with Nemon. Until patching is complete, restrict network exposure of the '/user-login' endpoint by placing the application behind a VPN or IP allowlist (trade-off: blocks legitimate remote users and partner access), and deploy a WAF rule that blocks SQL metacharacters and common SQLi payloads in the 'two_steps_auth_code' POST parameter on the '/user-login' path (trade-off: WAF rules can be bypassed by encoding tricks and may false-positive on legitimate alphanumeric codes). Enable database query logging and alert on anomalous queries originating from the application service account to detect exploitation attempts during the patch window.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35387
GHSA-cg52-fw3m-jv5q