The vulnerability is present in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0, affecting the /SubstationWEBV2/main/uploadH5Files endpoint. By manipulating the File argument, an attacker can upload arbitrary files without restrictions. This flaw represents a classic unchecked upload weakness (CWE‑434) combined with improper access control (CWE‑284), enabling potential remote code execution or unauthorized file placement on the server. Based on the description, it is inferred that the flaw can be triggered by sending specially crafted requests to the upload endpoint.

The affected product is Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 1.3.0. No other versions are listed, and the CVE references only identify this specific release. Based on the vendor information, it is inferred that other versions are not affected unless they contain the same upload implementation.

The CVSS score of 5.3 indicates moderate impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The description states that the attack may be launched remotely, and the exploit has been made public, implying that an attacker could exploit this flaw from any network without needing credentials. Because file uploads are typically accessible by authenticated or even unauthenticated users, the risk of exploitation remains significant for systems with exposed endpoints. Based on the description, it is inferred that the risk applies to any system running the affected version with a publicly accessible upload endpoint.