CVE-2026-9523 Overview
CVE-2026-9523 is a SQL injection vulnerability in the Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2. The flaw resides in the /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree endpoint. Attackers can manipulate the sort parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is remotely exploitable without authentication and a public exploit is available. The vendor was contacted prior to disclosure but did not respond. This issue maps to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Unauthenticated remote attackers can manipulate database queries through the sort parameter, potentially exposing or modifying data within the Acrel EEMS platform.
Affected Products
- Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2
- Endpoint: /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree
- Vulnerable parameter: sort
Discovery Timeline
- 2026-05-26 - CVE-2026-9523 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9523
Vulnerability Analysis
The Acrel EEMS 3000WEBV2 platform exposes a calculation endpoint that accepts a sort parameter used to order results in a generated database query. The application concatenates the sort value into the SQL statement without applying parameterized queries or input sanitization. An attacker can supply crafted SQL fragments to alter query semantics, extract data, or probe the underlying database structure.
The request path also contains a path-segment anomaly (/app/..;/calc/...) typical of Apache Tomcat path normalization tricks. This pattern is frequently used to bypass servlet filters or access control rules that match on URL prefixes. The combination allows an attacker to reach the vulnerable handler even when filters protect the /app namespace.
Root Cause
The root cause is improper neutralization of user input passed to a SQL interpreter. The sort argument is interpolated directly into an ORDER BY clause or equivalent construct, which cannot be protected by standard prepared-statement placeholders unless the application uses an allowlist of column names. No such validation is present, leaving the query open to injection.
Attack Vector
The attack is network-based and requires no authentication or user interaction. A remote attacker sends an HTTP request to the affected endpoint with a malicious sort parameter. Because the exploit is public, automated scanners and opportunistic actors can readily weaponize it. Refer to the VulDB entry #365542 and the Feishu technical write-up for proof-of-concept details.
Detection Methods for CVE-2026-9523
Indicators of Compromise
- HTTP requests containing the path segment /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree.
- Requests where the sort query parameter includes SQL keywords such as SELECT, UNION, SLEEP, CASE WHEN, or comment markers (--, #, /*).
- Database errors or unusually long response times correlated with calls to the getCalcmeterDetailDayListTree handler.
Detection Strategies
- Inspect web server and reverse proxy logs for the literal ..; semicolon path traversal pattern, which has no legitimate use in the EEMS application.
- Deploy WAF rules that detect SQL metacharacters in the sort parameter and block requests to the affected endpoint.
- Correlate spikes in database error counters with inbound HTTP requests to the /SubstationWEBV2/ namespace.
Monitoring Recommendations
- Enable verbose access logging for the EEMS application server and forward logs to a centralized analytics platform.
- Monitor outbound network traffic from the EEMS database host for unexpected exfiltration patterns.
- Alert on authentication or session anomalies that follow scans of the /calc/ URL space.
How to Mitigate CVE-2026-9523
Immediate Actions Required
- Restrict network exposure of the Acrel EEMS 3000WEBV2 platform to trusted management networks until a vendor fix is available.
- Place the application behind a web application firewall configured to block SQL injection signatures on the sort parameter.
- Audit application and database logs for prior exploitation attempts referencing getCalcmeterDetailDayListTree.
Patch Information
No vendor patch is available at the time of publication. According to the CVE record, the vendor was contacted prior to disclosure but did not respond. Operators should track the VulDB entry #365542 for updates and contact Acrel Electrical directly for remediation guidance.
Workarounds
- Block external access to /SubstationWEBV2/app/ and any path containing ..; at the reverse proxy or load balancer.
- Disable Apache Tomcat path-parameter handling by setting allowEncodedSlash and allowBackslash to false and rejecting URIs containing ; segments.
- Apply database account least privilege so the EEMS service account cannot read sensitive tables or write outside its own schema.
# Example NGINX rule to block the path-traversal and SQL keywords on the vulnerable endpoint
location ~* "/SubstationWEBV2/app/\.\.;/calc/getCalcmeterDetailDayListTree" {
return 403;
}
if ($args ~* "sort=.*(union|select|sleep|case\s+when|--|/\*)") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
