Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, no privileges required; scope changed because SSRF impacts internal systems; C:L/I:L reflects ability to probe and send requests to otherwise-inaccessible hosts.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to make the device issue arbitrary HTTP requests by supplying a malicious callback URL when the optional Node-RED plugin is installed. Attackers can exploit the lack of destination validation and the default passphrase 'opendoor' to send blind HTTP requests to arbitrary internal or external hosts not otherwise directly accessible.
AnalysisAI
Server-side request forgery in Sustainable Irrigation Platform (SIP) through version 5.2.16 allows unauthenticated network attackers to weaponize the device as an HTTP proxy against internal or external hosts. Exploitation requires the optional Node-RED plugin to be installed and leverages the known default passphrase 'opendoor' to bypass authentication to the plugin interface - dramatically lowering the practical barrier for blind SSRF. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Node-RED plugin must be installed on SIP - this is explicitly described as optional and is therefore a non-default deployment condition that substantially limits the exposed population. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 (Medium) with vector AV:N/AC:L/AT:P/PR:N/UI:N reflects an important nuance: AT:P indicates a specific attack requirement - the Node-RED plugin must be installed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers an internet-exposed SIP device with the Node-RED plugin installed and authenticates (or bypasses authentication) using the default passphrase 'opendoor'. They submit a crafted HTTP request to the callback URL endpoint specifying an internal RFC-1918 address - for example, a management interface on the local 192.168.x.x subnet - causing SIP to issue a blind HTTP request to that internal host. … |
| Remediation | No vendor-released patch version is confirmed from available data - the ZeroScience and VulnCheck advisories do not reference a fixed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote command injection in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets unauthenticated or CSR
Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated
Arbitrary file write in Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers plant JSON files outs
Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute sta
Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remo
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43689
GHSA-2444-cfc6-gh44