CVE-2026-7694
Published: 03 May 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-7694 is a SQL injection vulnerability (CWE-74, CWE-89) in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System version 1.3.0. The issue resides in an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue, where manipulation of the fCircuitids argument triggers the injection.
The vulnerability is remotely exploitable by unauthenticated attackers with low attack complexity and no user interaction required, per its CVSS 3.1 score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation enables limited impacts on confidentiality, integrity, and availability through SQL injection.
Advisories indicate no vendor response despite early contact, with no patches or mitigations detailed. An exploit has been published and may be used, as documented in references including VulDB entries and a Feishu wiki.
Notable context includes the public availability of the exploit, increasing risk for exposed instances of this energy management system.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated SQL injection in a public-facing web application endpoint directly enables initial access through exploitation of public-facing applications.