Skip to main content

Sustainable Irrigation Platform EUVDEUVD-2026-43688

| CVE-2026-58477 HIGH
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-07-14 VulnCheck GHSA-6862-8mf9-7vg4
8.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Unauthenticated network parameter injection (AV:N/AC:L/PR:N/UI:N) overwrites config for high integrity impact; changing the listening port yields low availability impact and no confidentiality impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 15:32 vuln.today
CVE Published
Jul 14, 2026 - 14:39 cve.org
HIGH 8.8

DescriptionCVE.org

Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a mass assignment vulnerability that allows unauthenticated attackers to overwrite sensitive configuration settings by supplying arbitrary parameter names in HTTP requests. Attackers can manipulate parameters corresponding to sensitive values such as the passphrase and listening port, and can also achieve the same result through cross-site request forgery due to the absence of adequate request validation.

AnalysisAI

Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated attackers overwrite sensitive settings - including the passphrase and listening port - by injecting arbitrary parameter names into HTTP requests. Because the application binds request parameters directly to internal configuration objects without an allow-list, the same effect can be triggered blindly through cross-site request forgery against an authenticated operator's browser. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach SIP web interface over network
Delivery
Send HTTP request with sensitive parameter names
Exploit
Autobind overwrites passphrase and listening port
Execution
Attacker controls platform configuration
Impact
Hijack or disrupt irrigation control

Vulnerability AssessmentAI

Exploitation The direct attack requires only network reachability to the SIP HTTP interface and no authentication (AV:N/AC:L/PR:N/UI:N) against SIP up to and including version 5.2.16 - the attacker supplies parameter names corresponding to sensitive config values such as the passphrase and listening port, and the vulnerable autobind logic accepts them. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L) and 8.8 base score describe network-reachable, low-complexity, unauthenticated exploitation with high integrity impact and low availability impact - consistent with the description of arbitrary configuration overwrite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the SIP web interface sends a crafted HTTP request containing parameter names matching internal config fields (e.g. the passphrase and listening port), causing the server to overwrite those settings and hand the attacker control of the platform's security state. …
Remediation No vendor-released patch version was identified at time of analysis, so upgrade guidance cannot cite an exact fixed release - monitor the vendor and the VulnCheck advisory (https://www.vulncheck.com/advisories/sustainable-irrigation-platform-mass-assignment-via-http-parameters) and ZeroScience advisory (https://www.zeroscience.mk/#/advisories/ZSL-2026-5997) for a fixed build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, implement network-level access controls to restrict HTTP/HTTPS traffic to SIP administrative interfaces to trusted management networks and IP ranges only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy