Description
E-LAN Hybrid Recording System developed by TONNET has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
Published: 2026-05-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw that allows an unauthenticated remote attacker to inject arbitrary SQL commands and read data stored in the device’s internal database. This flaw is identified as CWE‑89 and grants direct access to confidential information without requiring any prior credentials.

Affected Systems

The affected system is the TONNET E‑LAN Hybrid Recording System, model TPR7308. Firmware versions prior to mdiskTRS08_tonnet_20260203-1636 contain the flaw.

Risk and Exploitability

The CVSS base score of 8.7 classifies this as high severity. Because the EPSS score is not available and it is not listed in the CISA KEV catalog, the current chance of exploitation is unclear, but the flaw can be exploited remotely through unauthenticated requests, likely targeting the system’s web interface or API endpoints. Attacks would leverage the ability to read database contents to exfiltrate sensitive data.

Generated by OpenCVE AI on May 20, 2026 at 04:24 UTC.

Remediation

Vendor Solution

Please update firmware to version mdiskTRS08_tonnet_20260203-1636 or later

OpenCVE Recommended Actions

  • Update the device firmware to version mdiskTRS08_tonnet_20260203-1636 or newer as described by the vendor
  • If an update cannot be applied immediately, restrict external network access to the E‑LAN device using firewall rules or isolate it from untrusted networks
  • Apply secure coding practices in any custom interfaces: use parameterized queries and limit database privileges to prevent injection attacks

Generated by OpenCVE AI on May 20, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Tonnet
Tonnet tpr7308
Vendors & Products Tonnet
Tonnet tpr7308

Wed, 20 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description E-LAN Hybrid Recording System developed by TONNET has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
Title TONNET|E-LAN Hybrid Recording System - SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tonnet Tpr7308
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-05-20T12:33:01.428Z

Reserved: 2026-05-19T13:43:36.031Z

Link: CVE-2026-9003

cve-icon Vulnrichment

Updated: 2026-05-20T12:32:57.891Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T04:16:59.217

Modified: 2026-05-20T14:01:24.027

Link: CVE-2026-9003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:04Z

Weaknesses