CVE-2026-9550 Overview
CVE-2026-9550 is a path traversal vulnerability [CWE-22] in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 1.3.0. The flaw resides in the /SubstationWEBV2/app/..;/main/upfile endpoint, where manipulation of the path argument enables directory traversal. Remote attackers can exploit the issue without authentication or user interaction. The exploit has been publicly disclosed, increasing the likelihood of opportunistic use against exposed deployments. According to the disclosure record, the vendor was contacted prior to publication but did not respond.
Critical Impact
Unauthenticated remote attackers can traverse directories via the upfile endpoint to access files outside the intended scope, exposing sensitive operational data in power management deployments.
Affected Products
- Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0
- Deployments exposing /SubstationWEBV2/app/..;/main/upfile
- Substation web management interfaces shipped with the platform
Discovery Timeline
- 2026-05-26 - CVE-2026-9550 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9550
Vulnerability Analysis
The vulnerability affects the file upload handler reachable via /SubstationWEBV2/app/..;/main/upfile. The URL pattern uses ..; — a semicolon path parameter trick that some servlet containers and reverse proxies treat as part of the path segment rather than a traversal sequence. This allows the request to bypass mapping or filtering applied to the /app/ prefix and reach the upfile handler in the /main/ context.
Once the request reaches upfile, the handler consumes a user-controlled path argument without sufficient canonicalization. Attackers supply traversal sequences in path to write or read files outside the intended upload directory. The CWE-22 classification matches this pattern of improper limitation of a pathname to a restricted directory.
Exploitation requires only network reachability to the platform. No credentials are needed, and the attack does not depend on user interaction. The platform manages substation and power operation data, so traversal access can expose configuration files, logs, and operational records.
Root Cause
The root cause is a combination of two issues. First, the routing layer fails to normalize ..; sequences before applying access controls, enabling the attacker to reach an endpoint that should be protected. Second, the upfile handler trusts the path parameter without enforcing canonical paths or restricting writes to a fixed directory.
Attack Vector
The attack vector is network-based. An attacker sends a crafted HTTP request to /SubstationWEBV2/app/..;/main/upfile with a path parameter containing traversal sequences such as ../. The server resolves the manipulated path and operates on a file outside the intended directory.
The vulnerability mechanism is described in prose because no verified proof-of-concept code is available in this dataset. Technical details are tracked in the VulDB Vulnerability #365609 entry and the Feishu Wiki Document referenced by the disclosure.
Detection Methods for CVE-2026-9550
Indicators of Compromise
- HTTP requests to /SubstationWEBV2/app/..;/main/upfile from external sources
- Requests containing ..;, ..%2f, or encoded traversal sequences in the URL path
- path parameter values containing ../, ..\\, or absolute file paths in upfile requests
- Unexpected file reads or writes outside the configured upload directory on the application server
Detection Strategies
- Inspect web server and reverse proxy access logs for the literal string ..; in request paths targeting the SubstationWEBV2 application
- Alert on any upfile request where the path argument resolves outside the application's upload root
- Correlate inbound HTTP requests with subsequent file system activity on the application server using EDR telemetry
Monitoring Recommendations
- Enable verbose access logging on the SubstationWEBV2 endpoint and forward logs to a centralized SIEM or data lake
- Monitor for high-volume scanning patterns hitting the /SubstationWEBV2/app/ path from a single source
- Track outbound transfers of configuration or backup files from the application host
How to Mitigate CVE-2026-9550
Immediate Actions Required
- Restrict network access to the EEMS platform management interface using firewall rules or a VPN gateway
- Place a web application firewall in front of the platform with rules that block ..; and encoded traversal sequences
- Audit recent access logs for requests matching the vulnerable URL pattern and investigate any matches
- Rotate credentials and secrets stored in files reachable from the application directory
Patch Information
No vendor patch has been published at the time of disclosure. According to the VulDB record, the vendor was contacted early about this disclosure but did not respond. Track the VulDB Vulnerability #365609 entry for updates and verify any future advisories directly with Acrel before deployment.
Workarounds
- Block requests containing ..; path segments at the reverse proxy or WAF layer
- Disable or remove the /SubstationWEBV2/app/..;/main/upfile endpoint if it is not required for operations
- Apply strict input validation on any reverse proxy that fronts the application, rejecting path parameters with traversal characters
- Isolate the application server from sensitive file shares until a vendor fix is available
# Example nginx rule to block ..; traversal patterns
location /SubstationWEBV2/ {
if ($request_uri ~* "\.\.;") {
return 403;
}
if ($arg_path ~* "(\.\./|\.\.\\)") {
return 403;
}
proxy_pass http://eems_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
