Description
A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in an unprotected function within /SubstationWEBV2/main/elecMaxMinAvgValue of Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. By manipulating the fCircuitids argument, an attacker can inject arbitrary SQL. This leads to execution of unintended database queries, allowing read, modification, or deletion of sensitive data and potential denial of service.

Affected Systems

Vendor: Acrel Electrical. Product: ECEMS Enterprise Microgrid Energy Efficiency Management System. Affected version: 1.3.0. The vulnerability is limited to this specific product version and component.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity while the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote and the exploit has been published, meaning it could be actively used by attackers. The potential for unauthorized database access and data compromise is significant when the affected endpoint is exposed.

Generated by OpenCVE AI on May 3, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch for ECEMS 1.3.0 as soon as it is released
  • Restrict or block traffic to the /SubstationWEBV2/main/elecMaxMinAvgValue module to limit remote exploitation
  • Ensure that the fCircuitids input is sanitized or use parameterized queries to prevent SQL injection

Generated by OpenCVE AI on May 3, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 12:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System elecMaxMinAvgValue sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T11:45:39.522Z

Reserved: 2026-05-02T19:37:55.443Z

Link: CVE-2026-7694

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T12:15:59.700

Modified: 2026-05-03T12:15:59.700

Link: CVE-2026-7694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T13:30:15Z

Weaknesses