Description
A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP/Service/Webservice/ExampleNodeService.asmx. Executing a manipulation of the argument File can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted file upload that can lead to remote code execution
Action: Patch ASAP
AI Analysis

Impact

A flaw in the ExampleNodeService.asmx of ShuoRen Smart Heating Integrated Management Platform allows an attacker to upload arbitrary files without any validation. This unrestricted upload weakness can enable an adversary to place malicious files on the server, potentially resulting in remote code execution or other unintended operations, depending on the server configuration and the files uploaded. The vulnerability is categorized as a combination of CWE‑284 (Access Control) and CWE‑434 (Unrestricted Upload of File with Dangerous Type).

Affected Systems

The platform version affected is ShuoRen Smart Heating Integrated Management Platform 1.0.0. Users running this exact version are susceptible; no other versions are listed as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, while the EPSS below 1% suggests a low probability of exploitation in the current environment, though the exploit has already been published. The vulnerability can be triggered remotely via the web service endpoint, and the denial of vendor response enhances the risk. The absence of a KEV listing means it is not yet in the CISA Known Exploited Vulnerabilities catalog, but the public availability of an exploit elevates its threat posture.

Generated by OpenCVE AI on April 17, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact ShuoRen for an official patch or update and apply it immediately once available.
  • Restrict the upload operation to allow only a predetermined set of safe file types and enforce strict size limits on uploads.
  • Configure the server so that the upload directory has no execute permissions and ensure that file uploads are stored in a location that cannot serve executable content; additionally, consider using a web application firewall to block unauthorized file upload attempts.

Generated by OpenCVE AI on April 17, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 00:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:shuoren:smart_heating_integrated_management_platform:1.0.0:*:*:*:*:*:*:*

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Shuoren
Shuoren smart Heating Integrated Management Platform
Vendors & Products Shuoren
Shuoren smart Heating Integrated Management Platform

Mon, 23 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP/Service/Webservice/ExampleNodeService.asmx. Executing a manipulation of the argument File can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title ShuoRen Smart Heating Integrated Management Platform ExampleNodeService.asmx unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Shuoren Smart Heating Integrated Management Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T15:02:50.887Z

Reserved: 2026-02-23T13:59:09.845Z

Link: CVE-2026-3025

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T21:19:12.497

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses