CVE-2026-7695 Overview
CVE-2026-7695 is a SQL injection vulnerability in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 1.3.0. The flaw resides in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint, where the fCircuitids parameter is concatenated into a SQL query without proper sanitization. Remote attackers can manipulate this parameter to inject arbitrary SQL statements without authentication. The exploit details have been publicly disclosed, increasing the risk of opportunistic attacks against exposed instances. According to the disclosure, the vendor was contacted prior to publication but did not respond.
Critical Impact
Unauthenticated remote attackers can inject SQL through the fCircuitids parameter to read, modify, or exfiltrate data from the underlying database supporting the power operation and maintenance cloud platform.
Affected Products
- Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0
- Vulnerable endpoint: /SubstationWEBV2/main/elecMaxMinAvgValue
- Vulnerable parameter: fCircuitids
Discovery Timeline
- 2026-05-03 - CVE-2026-7695 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7695
Vulnerability Analysis
The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The elecMaxMinAvgValue handler within the SubstationWEBV2 module accepts the fCircuitids argument from HTTP request input and incorporates it into a backend SQL query. Because the application does not parameterize the query or validate the input as a list of numeric circuit identifiers, an attacker can append SQL syntax that the database executes.
The EEMS platform aggregates electrical metering data such as maximum, minimum, and average values across substation circuits. A successful injection therefore exposes operational technology data, customer information, and any other content stored in the same database instance. The EPSS probability for this CVE is 0.028% as of 2026-05-07.
Root Cause
The root cause is the direct concatenation of attacker-controlled input into a SQL statement. The application treats fCircuitids as a trusted comma-separated list of circuit identifiers but performs no type validation or prepared statement binding. Any deviation from the expected numeric list format is passed unchanged to the database driver.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends a crafted HTTP request to /SubstationWEBV2/main/elecMaxMinAvgValue with a malicious fCircuitids value. Standard SQL injection techniques such as boolean-based blind, time-based blind, and UNION-based extraction are applicable. Refer to the VulDB Vulnerability #360864 and Feishu Documentation Resource entries for additional technical detail.
Detection Methods for CVE-2026-7695
Indicators of Compromise
- HTTP requests to /SubstationWEBV2/main/elecMaxMinAvgValue containing SQL meta-characters such as single quotes, semicolons, UNION, SELECT, SLEEP(, or comment markers (--, /*) in the fCircuitids parameter.
- Database error messages or unusually long response times correlated with requests to the affected endpoint.
- Outbound database connections or large result sets originating from the EEMS application server during anomalous time windows.
Detection Strategies
- Deploy web application firewall signatures that flag SQL syntax in numeric-only parameters such as fCircuitids.
- Enable database query auditing to surface dynamically constructed queries referencing the elecMaxMinAvgValue code path.
- Correlate web server access logs with database error logs to identify failed injection attempts that precede successful exploitation.
Monitoring Recommendations
- Alert on repeated 500-series HTTP responses from the /SubstationWEBV2/main/ path tree.
- Monitor for spikes in row counts returned by queries originating from the EEMS application user account.
- Track new outbound connections from the database server, which can indicate data exfiltration following injection.
How to Mitigate CVE-2026-7695
Immediate Actions Required
- Restrict network access to the EEMS web interface so it is reachable only from trusted management networks or via VPN.
- Place the application behind a web application firewall configured to block SQL injection patterns targeting the fCircuitids parameter.
- Review database and web server logs for prior exploitation attempts referencing elecMaxMinAvgValue.
Patch Information
No vendor patch has been published. According to the public disclosure on VulDB Vulnerability #360864, the vendor was notified but did not respond. Operators should track the VulDB CTI for #360864 and Acrel vendor channels for future updates.
Workarounds
- Block or filter requests to /SubstationWEBV2/main/elecMaxMinAvgValue at the reverse proxy until a fix is available.
- Enforce least-privilege database accounts so the EEMS application cannot read sensitive tables or execute administrative SQL.
- Apply input validation at an upstream proxy to reject fCircuitids values that contain non-numeric characters or comma-separated tokens longer than expected.
# Example NGINX rule to block non-numeric fCircuitids values
location /SubstationWEBV2/main/elecMaxMinAvgValue {
if ($arg_fCircuitids ~* "[^0-9,]") {
return 403;
}
proxy_pass http://eems_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
