PT-2026-25831 · Tiandy · Easy7 Integrated Management Platform
0Menc
+1
·
Published
2026-03-16
·
Updated
2026-03-17
·
CVE-2026-4287
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Tiandy Easy7 Integrated Management Platform version 7.17.0
Description
A security flaw exists in Tiandy Easy7 Integrated Management Platform version 7.17.0. The issue is a SQL injection affecting an unknown function within the Endpoint component, specifically through the
/rest/devStatus/queryResources API endpoint. Manipulation of the areaId parameter can trigger the SQL injection. This attack can be initiated remotely. The exploit has been publicly released. The vendor was contacted regarding this disclosure but did not respond.Recommendations
Tiandy Easy7 Integrated Management Platform version 7.17.0: As a temporary workaround, consider restricting access to the
/rest/devStatus/queryResources API endpoint to minimize the risk of exploitation.Exploit
Fix
Special Elements Injection
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Easy7 Integrated Management Platform