CVE-2026-7698 - Vulnerability Details

- Tiandy Easy7 Integrated Management Platform updateDbBackupInfo os command injection

Description

A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-03

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in Tiandy Easy7 Integrated Management Platform 7.17.0, where an unvalidated 'week' argument in the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint allows an attacker to inject operating‑system commands, leading to remote execution of arbitrary code. This flaw is identified as CWE‑77 and CWE‑78 and permits attackers to compromise the platform’s confidentiality, integrity, and availability without requiring local access.

Affected Systems

Tiandy Easy7 Integrated Management Platform version 7.17.0 is affected; the flaw resides in the /Easy7/rest/systemInfo/updateDbBackupInfo functionality. No other versions are currently documented as vulnerable.

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability presents moderate severity, and although EPSS is not available, publicly available exploits exist, indicating a realistic threat. It is not listed in the CISA KEV catalog. The attack is remote, likely delivered over HTTP to the vulnerable endpoint, and requires only control over the 'week' parameter to succeed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tiandy

Easy7 Integrated Management Platform

affected

Version	Status	Constraints
`7.17.0`	affected	—

No data.

Vendor Product Confidence Versions

Tiandy

Easy7 Integrated Management Platform

100%

Version	Status	Scheme	Platform
`7.17.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑issued security patch for the Easy7 Integrated Management Platform as soon as it is available.
Restrict the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint so that only trusted administrators can access it, or disable the endpoint entirely if not needed.
Enforce strict input validation on the 'week' parameter, allowing only numeric values or values from an approved whitelist, to prevent command injection.
Consider network segmentation or firewall rules that block unexpected or high‑privilege command strings originating from the 'week' input.

Generated by OpenCVE AI on May 3, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://ucn9h68n9289.feishu.cn/wiki/Yslcw7QqWiRjUZkCcvkcJI62n2c
https://vuldb.com/submit/804048
https://vuldb.com/vuln/360867
https://vuldb.com/vuln/360867/cti

History

Sun, 03 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tiandy Tiandy easy7 Integrated Management Platform
Vendors & Products		Tiandy Tiandy easy7 Integrated Management Platform

Sun, 03 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Tiandy Easy7 Integrated Management Platform updateDbBackupInfo os command injection
Weaknesses		CWE-77 CWE-78
References		https://ucn9h68n9289.feishu.cn/wiki/Yslcw7QqWiRjUZkCcvkcJI62n2c https://vuldb.com/submit/804048 https://vuldb.com/vuln/360867 https://vuldb.com/vuln/360867/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tiandy Easy7 Integrated Management Platform

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-03T13:30:40.287Z

Updated: 2026-05-03T13:30:40.287Z

Reserved: 2026-05-02T20:06:52.086Z

Link: CVE-2026-7698

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-03T14:16:27.107

Modified: 2026-05-03T14:16:27.107

Link: CVE-2026-7698

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-03T15:30:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object