Description
Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5
Published: 2026-04-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Unauthenticated Directory Access
Action: Immediate Patch
AI Analysis

Impact

Hydrosystem Control System fails to enforce authorization for specific directories, allowing an unauthenticated user to read every file there and to execute selected files, including PHP scripts that interact directly with the connected database. This flaw can lead to data disclosure, modification and ultimately full remote code execution. The weakness corresponds to the missing authorization class of vulnerabilities.

Affected Systems

The vulnerable product is Hydrosystem Control System. All releases before version 9.8.5 are susceptible; version 9.8.5 and later include the fix and are no longer affected.

Risk and Exploitability

The CVSS score of 8.8 signals a high‑severity issue. No EPSS score is published and the vulnerability is not listed in the CISA KEV catalogue, but based on the description the likely attack vector is via unauthenticated HTTP requests to the affected directories. It is inferred that an external network user could simply request these directories to read or execute files, potentially gaining full control over the system. The combination of high severity and ease of exploitation results in a high overall risk that should be addressed swiftly.

Generated by OpenCVE AI on April 9, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hydrosystem Control System to version 9.8.5 or later.
  • If an immediate patch is not possible, restrict network access to the vulnerable directories using firewall or web server configuration to block unauthenticated requests.
  • Disable execution of PHP scripts in those directories by configuring the web server or placing an .htaccess deny directive if supported.
  • Conduct a comprehensive audit to confirm that no other unauthorized directories exist and that authentication and authorization are enforced across all components.

Generated by OpenCVE AI on April 9, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Hydrosystem.poznan
Hydrosystem.poznan control System
CPEs cpe:2.3:a:hydrosystem.poznan:control_system:*:*:*:*:*:*:*:*
Vendors & Products Hydrosystem.poznan
Hydrosystem.poznan control System
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Hydrosystem
Hydrosystem control System
Vendors & Products Hydrosystem
Hydrosystem control System

Thu, 09 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5
Title Missing Authorization in Hydrosystem Control System
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hydrosystem Control System
Hydrosystem.poznan Control System
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-09T11:51:07.882Z

Reserved: 2026-03-26T09:40:20.576Z

Link: CVE-2026-34184

cve-icon Vulnrichment

Updated: 2026-04-09T11:51:02.879Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T10:16:22.110

Modified: 2026-04-20T17:06:12.560

Link: CVE-2026-34184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:58Z

Weaknesses