Skip to content
Threat Feed
high advisory

CVE-2026-14737: Hanwang e-Face General Management Platform SQL Injection

A remote SQL injection vulnerability (CVE-2026-14737) affects Hanwang e-Face General Management Platform version 6.3.5.4, specifically within the `/sysAuthStr/querySysAuthStr.do` file, triggered by manipulating argument order, allowing remote attackers to potentially gain unauthorized access to or modify database contents with a publicly available exploit.

A critical SQL injection vulnerability, tracked as CVE-2026-14737, has been identified in Hanwang e-Face General Management Platform version 6.3.5.4. This flaw resides in an unknown function within the /sysAuthStr/querySysAuthStr.do file, where improper handling of argument order allows for remote SQL injection. The vulnerability enables unauthenticated attackers to execute arbitrary SQL queries against the underlying database, potentially leading to information disclosure, data manipulation, or denial of service. The CVSS v3.1 base score is 7.3 (High). Crucially, an exploit for this vulnerability is publicly available, significantly increasing the risk of widespread exploitation by malicious actors. Organizations utilizing the affected Hanwang e-Face General Management Platform are urged to address this vulnerability immediately to prevent compromise.

Attack Chain

  1. An unauthenticated attacker crafts a malicious HTTP request targeting the vulnerable /sysAuthStr/querySysAuthStr.do endpoint on a Hanwang e-Face General Management Platform 6.3.5.4 instance.
  2. The attacker manipulates the order of arguments or introduces specific SQL metacharacters within the HTTP request parameters, leveraging the flaw in the application's input validation logic.
  3. The application processes the malformed request, mistakenly interpreting the attacker-controlled input as legitimate SQL commands.
  4. The embedded SQL injection payload executes within the application's database context, bypassing intended security controls.
  5. Depending on the attacker's objective and database permissions, this can lead to unauthorized data exfiltration (e.g., user credentials, sensitive business data) or manipulation (e.g., altering records, creating new administrative accounts).
  6. The attacker leverages the retrieved or modified data for further compromise, such as gaining higher privileges within the application or pivoting to other systems within the network.

Impact

Successful exploitation of CVE-2026-14737 could lead to severe consequences for affected organizations. Attackers could gain unauthorized access to sensitive data stored in the Hanwang e-Face General Management Platform's database, including personal information, access credentials, or operational data. This data could be exfiltrated, modified, or deleted, leading to data breaches, reputational damage, regulatory fines, and operational disruption. The public availability of an exploit significantly increases the likelihood of opportunistic attacks, potentially affecting any organization using the vulnerable version of the platform.

Recommendation

  • Immediately patch Hanwang e-Face General Management Platform to a version that remediates CVE-2026-14737 as soon as one becomes available.
  • Deploy the Sigma rule "Detect CVE-2026-14737 Exploitation - Hanwang e-Face SQL Injection" to your SIEM to identify attempts to exploit /sysAuthStr/querySysAuthStr.do.
  • Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns and suspicious requests targeting the /sysAuthStr/querySysAuthStr.do path.
  • Enable comprehensive webserver access logging to capture full HTTP request details (headers, methods, URIs, query strings, body) for forensics and analysis.

Detection coverage 1

Detect CVE-2026-14737 Exploitation - Hanwang e-Face SQL Injection

high

Detects CVE-2026-14737 exploitation - HTTP requests targeting /sysAuthStr/querySysAuthStr.do with common SQL injection payloads, indicating manipulation of argument order.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →