Acrel Electrical — CraftedSignal Threat Feed

Acrel ECEMS SQL Injection Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 12:15:59 +0000

Acrel Electrical’s ECEMS Enterprise Microgrid Energy Efficiency Management System version 1.3.0 is vulnerable to SQL injection. The vulnerability resides in the /SubstationWEBV2/main/elecMaxMinAvgValue file, where manipulation of the fCircuitids argument allows for the injection of arbitrary SQL commands. The vulnerability, identified as CVE-2026-7694, can be exploited remotely without authentication, posing a significant risk to systems exposed to the network. The vendor was notified but did not respond, and a public exploit is available, increasing the likelihood of exploitation. This flaw allows attackers to potentially access, modify, or delete sensitive data within the ECEMS database.

Attack Chain

Attacker identifies an accessible instance of Acrel ECEMS 1.3.0.
Attacker crafts a malicious SQL payload designed to extract sensitive information or modify the database.
The attacker sends a crafted HTTP request to /SubstationWEBV2/main/elecMaxMinAvgValue with the SQL payload embedded in the fCircuitids parameter.
The ECEMS application fails to properly sanitize the fCircuitids input.
The application executes the attacker-supplied SQL query against the database.
The database server processes the malicious query, potentially returning sensitive data or executing harmful commands.
The attacker receives the output of the injected SQL query.
The attacker uses the extracted information for further malicious activities, such as data exfiltration, privilege escalation, or denial of service.

Impact

Successful exploitation of this SQL injection vulnerability could allow an attacker to read sensitive information from the ECEMS database, modify existing data, or even gain administrative access to the system. This could lead to the compromise of energy efficiency management data, potentially impacting grid stability and financial records. Given the lack of vendor response and the availability of a public exploit, organizations using the affected software are at high risk. The impact includes potential data breaches, system outages, and reputational damage.

Recommendation

Inspect web server logs for suspicious requests to /SubstationWEBV2/main/elecMaxMinAvgValue containing potentially malicious SQL syntax within the fCircuitids parameter (see Sigma rule “Detect Acrel ECEMS SQL Injection Attempt”).
Deploy the Sigma rule “Detect SQL Injection Error Messages” to identify potential SQL injection attempts across all web applications.
Apply input validation and sanitization to all user-supplied input, especially the fCircuitids parameter in /SubstationWEBV2/main/elecMaxMinAvgValue, to prevent SQL injection.
Consider deploying a web application firewall (WAF) to filter out malicious requests targeting this vulnerability.

Acrel EEMS Enterprise Power Operation and Maintenance Cloud Platform SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 29 Jan 2024 12:00:00 +0000

A SQL injection vulnerability has been identified in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 1.3.0. The vulnerability resides within the /SubstationWEBV2/main/elecMaxMinAvgValue file and is triggered by manipulating the fCircuitids argument. This flaw allows remote attackers to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or complete system compromise. The vendor was notified about the vulnerability but did not provide a response. Given the publicly disclosed nature of the exploit, organizations using the affected software should take immediate steps to mitigate the risk.

Attack Chain

The attacker identifies an instance of Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 accessible over the network.
The attacker crafts a malicious HTTP request targeting the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint.
Within the request, the attacker injects SQL code into the fCircuitids parameter.
The application improperly sanitizes the input, passing the malicious SQL code to the database.
The database executes the injected SQL code.
The attacker is able to retrieve sensitive data from the database, such as user credentials or system configurations.
The attacker uses the stolen credentials to gain unauthorized access to other parts of the application.
The attacker gains complete control of the application server, potentially leading to further compromise of the network.

Impact

Successful exploitation of this SQL injection vulnerability could allow attackers to access and modify sensitive data, potentially disrupting power operation and maintenance processes. Given that the software is used for enterprise power management, this could lead to significant financial losses, reputational damage, and potential safety hazards. The number of victims is currently unknown, but any organization utilizing the affected software (version 1.3.0 of Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform) is potentially at risk.

Recommendation

Inspect web server logs for suspicious requests to /SubstationWEBV2/main/elecMaxMinAvgValue containing unusual characters or SQL keywords in the fCircuitids parameter to detect potential exploitation attempts.
Deploy the Sigma rule Detect Suspicious fCircuitids Parameter Manipulation to identify potentially malicious requests targeting the vulnerable endpoint.
Implement input validation and sanitization measures on the fCircuitids parameter to prevent SQL injection attacks.
Consider using a Web Application Firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint.