Skip to main content

Sip

6 CVEs product

Monthly

CVE-2026-58479 CRITICAL POC Act Now

Remote command injection in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets unauthenticated or CSRF-driven attackers store a malicious payload via the optional cli_control plugin's HTTP endpoint and execute arbitrary OS commands on the host when the linked irrigation station is activated. Because the plugin ships with no passphrase protection or the well-known default passphrase 'opendoor', exploitation is trivial on default installs. Publicly available exploit code exists (ZeroScience/VulnCheck), though the flaw is not listed in CISA KEV, and the CVSS 4.0 base score is 9.2 (Critical).

CSRF Command Injection Sip
NVD
CVSS 4.0
9.2
EPSS
5.2%
CVE-2026-58478 MEDIUM POC This Month

Server-side request forgery in Sustainable Irrigation Platform (SIP) through version 5.2.16 allows unauthenticated network attackers to weaponize the device as an HTTP proxy against internal or external hosts. Exploitation requires the optional Node-RED plugin to be installed and leverages the known default passphrase 'opendoor' to bypass authentication to the plugin interface - dramatically lowering the practical barrier for blind SSRF. A publicly available proof-of-concept exploit exists per ZeroScience advisory ZSL-2026-5998; no CISA KEV listing at time of analysis.

SSRF Sip
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-58477 HIGH POC This Week

Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated attackers overwrite sensitive settings - including the passphrase and listening port - by injecting arbitrary parameter names into HTTP requests. Because the application binds request parameters directly to internal configuration objects without an allow-list, the same effect can be triggered blindly through cross-site request forgery against an authenticated operator's browser. Publicly available exploit code exists (ZeroScience ZSL-2026-5997), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

CSRF Sip
NVD
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-60114 HIGH POC This Week

Arbitrary file write in Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers plant JSON files outside the intended data directory by abusing the JSON backup-restore feature, which builds file paths from attacker-controlled keys without validation. Because the default deployment ships with no required passphrase (or the hardcoded default 'opendoor'), an attacker can reach the restore endpoint without legitimate credentials. Publicly available exploit code exists (VulnCheck / Zero Science advisory), and EPSS/KEV data were not provided, so exploitation appears proof-of-concept rather than confirmed in-the-wild.

Path Traversal Sip
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-58476 HIGH POC This Week

Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute state-changing administrative actions when a logged-in administrator is lured to a malicious page, because administrative endpoints accept HTTP GET requests with no CSRF token or origin validation. An attacker can disable the passphrase, reboot the irrigation controller, delete watering programs, or install plugins; in the default configuration these endpoints are exposed to unauthenticated users because no passphrase is required and the default credential is 'opendoor'. Publicly available exploit code exists (ZeroScience ZSL-2026-5995), though there is no public exploit identified as being used in active campaigns.

CSRF Sip
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-58475 MEDIUM POC This Month

Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remote attackers to permanently inject arbitrary JavaScript by submitting crafted program names via HTTP requests, with the payload executing in every subsequent viewer's browser. Exploitation is significantly facilitated by the application's acceptance of submissions with no passphrase configured or using the default passphrase 'opendoor', removing any authentication barrier in common deployments. A publicly available proof-of-concept exploit from ZeroScience (ZSL-2026-5994) documents the attack path; this CVE is not currently listed in the CISA KEV catalog.

XSS Sip
NVD
CVSS 4.0
5.3
EPSS
0.2%
EPSS 5% CVSS 9.2
CRITICAL POC Act Now

Remote command injection in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets unauthenticated or CSRF-driven attackers store a malicious payload via the optional cli_control plugin's HTTP endpoint and execute arbitrary OS commands on the host when the linked irrigation station is activated. Because the plugin ships with no passphrase protection or the well-known default passphrase 'opendoor', exploitation is trivial on default installs. Publicly available exploit code exists (ZeroScience/VulnCheck), though the flaw is not listed in CISA KEV, and the CVSS 4.0 base score is 9.2 (Critical).

CSRF Command Injection Sip
NVD
EPSS 0% CVSS 6.3
MEDIUM POC This Month

Server-side request forgery in Sustainable Irrigation Platform (SIP) through version 5.2.16 allows unauthenticated network attackers to weaponize the device as an HTTP proxy against internal or external hosts. Exploitation requires the optional Node-RED plugin to be installed and leverages the known default passphrase 'opendoor' to bypass authentication to the plugin interface - dramatically lowering the practical barrier for blind SSRF. A publicly available proof-of-concept exploit exists per ZeroScience advisory ZSL-2026-5998; no CISA KEV listing at time of analysis.

SSRF Sip
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated attackers overwrite sensitive settings - including the passphrase and listening port - by injecting arbitrary parameter names into HTTP requests. Because the application binds request parameters directly to internal configuration objects without an allow-list, the same effect can be triggered blindly through cross-site request forgery against an authenticated operator's browser. Publicly available exploit code exists (ZeroScience ZSL-2026-5997), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

CSRF Sip
NVD
EPSS 0% CVSS 8.7
HIGH POC This Week

Arbitrary file write in Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers plant JSON files outside the intended data directory by abusing the JSON backup-restore feature, which builds file paths from attacker-controlled keys without validation. Because the default deployment ships with no required passphrase (or the hardcoded default 'opendoor'), an attacker can reach the restore endpoint without legitimate credentials. Publicly available exploit code exists (VulnCheck / Zero Science advisory), and EPSS/KEV data were not provided, so exploitation appears proof-of-concept rather than confirmed in-the-wild.

Path Traversal Sip
NVD
EPSS 0% CVSS 7.0
HIGH POC This Week

Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute state-changing administrative actions when a logged-in administrator is lured to a malicious page, because administrative endpoints accept HTTP GET requests with no CSRF token or origin validation. An attacker can disable the passphrase, reboot the irrigation controller, delete watering programs, or install plugins; in the default configuration these endpoints are exposed to unauthenticated users because no passphrase is required and the default credential is 'opendoor'. Publicly available exploit code exists (ZeroScience ZSL-2026-5995), though there is no public exploit identified as being used in active campaigns.

CSRF Sip
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remote attackers to permanently inject arbitrary JavaScript by submitting crafted program names via HTTP requests, with the payload executing in every subsequent viewer's browser. Exploitation is significantly facilitated by the application's acceptance of submissions with no passphrase configured or using the default passphrase 'opendoor', removing any authentication barrier in common deployments. A publicly available proof-of-concept exploit from ZeroScience (ZSL-2026-5994) documents the attack path; this CVE is not currently listed in the CISA KEV catalog.

XSS Sip
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy