CVE-2026-4585 - Vulnerability Details

- Tiandy Easy7 Integrated Management Platform Configuration ImportSystemConfiguration.jsp os command injection

Description

A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of the component Configuration Handler. The manipulation of the argument File leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-23

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Tiandy Easy7 Integrated Management Platform allows an attacker to supply a crafted value for the File parameter in the ImportSystemConfiguration.jsp endpoint, causing the platform to execute arbitrary operating system commands. This vulnerability is an instance of command injection (CWE-77 and CWE-78) and can lead to full compromise of the host operating system, enabling disclosure of sensitive data, modification of system settings, or establishment of persistence.

Affected Systems

The issue exists in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0, specifically in the Configuration Handler component located at /Easy7/apps/WebService/ImportSystemConfiguration.jsp. Only installations running those affected versions are at risk.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating critical severity. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog, but the exploit has been publicly disclosed and may be used. The attack can be initiated remotely through the web interface, meaning an adversary only needs network access to trigger the command injection, making exploitation practical even with minimal privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tiandy

Easy7 Integrated Management Platform

affected

Version	Status	Constraints
`7.0`	affected	—
`7.1`	affected	—
`7.2`	affected	—
`7.3`	affected	—
`7.4`	affected	—
`7.5`	affected	—
`7.6`	affected	—
`7.7`	affected	—
`7.8`	affected	—
`7.9`	affected	—
`7.10`	affected	—
`7.11`	affected	—
`7.12`	affected	—
`7.13`	affected	—
`7.14`	affected	—
`7.15`	affected	—
`7.16`	affected	—
`7.17.0`	affected	—

No data.

Vendor Product Confidence Versions

Tiandy

Easy7 Integrated Management Platform

100%

Version	Status	Scheme	Platform
`[7.0,7.17.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an official vendor patch or upgrade the Easy7 Integrated Management Platform to a version newer than 7.17.0.
If a patch is unavailable, disable the configuration import functionality or restrict it to trusted IP addresses or privileged users.
Deploy a web application firewall or input validation rule to block malicious File parameters.
Monitor system and web server logs for signs of unauthorized command execution attempts.

Generated by OpenCVE AI on March 23, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.0021.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://my.feishu.cn/docx/WkHjd3oajoIw5exHk9ecUHaFnKd?from=from_copylink
https://vuldb.com/?ctiid.352422
https://vuldb.com/?id.352422
https://vuldb.com/?submit.775457

History

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tiandy Tiandy easy7 Integrated Management Platform
Vendors & Products		Tiandy Tiandy easy7 Integrated Management Platform

Mon, 23 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 11:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of the component Configuration Handler. The manipulation of the argument File leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Tiandy Easy7 Integrated Management Platform Configuration ImportSystemConfiguration.jsp os command injection
Weaknesses		CWE-77 CWE-78
References		https://my.feishu.cn/docx/WkHjd3oajoIw5exHk9ecUHaFnKd?from=from_copylink https://vuldb.com/?ctiid.352422 https://vuldb.com/?id.352422 https://vuldb.com/?submit.775457
Metrics		cvssV2_0 `{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tiandy Easy7 Integrated Management Platform

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-23T11:15:06.466Z

Updated: 2026-03-23T16:38:26.005Z

Reserved: 2026-03-22T09:27:32.144Z

Link: CVE-2026-4585

Vulnrichment

Updated: 2026-03-23T16:15:33.503Z

NVD

Status : Deferred

Published: 2026-03-23T12:16:25.973

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4585

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:49:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object