The vulnerability is an SQL injection flaw in Kados R10 GreenBee that can be triggered by unauthenticated users through the user2reset parameter. By injecting crafted SQL, an attacker can cause the application to execute arbitrary SQL commands, enabling the extraction of confidential data or modification of records. This compromise affects confidentiality and integrity of the database, potentially leading to data theft or corruption. The flaw is classified as CWE‑89, which denotes an injection flaw that permits untrusted input to influence database queries.

The flaw targets the Marmotech Kados R10 GreenBee application. Any installation of Kados R10 GreenBee, regardless of patch level, is susceptible unless mitigated. The affected component is the user2reset functionality exposed via the web interface. Users running Kados R10 GreenBee should verify their version and apply any vendor‑supplied updates. In the absence of a patch, restricting access to the endpoint or applying configuration changes can reduce risk.

The CVSS base score of 8.8 signifies a high severity, and the EPSS score of less than 1 percent indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation at the time of analysis. The attack vector is likely over the network by sending a specially crafted HTTP request to the user2reset endpoint; authentication is not required. Exploitation requires only the ability to reach the vulnerable application, making it potentially accessible to any remote actor if the service is exposed.