CVE-2026-2584

Summary

A critical SQL Injection (SQLi) vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker (AV:N/PR:N) can exploit this flaw by sending specially crafted SQL queries through the login interface. Due to low attack complexity (AC:L) and the absence of specific requirements (AT:N), the vulnerability allows for a total compromise of the system's configuration data (VC:H/VI:H). While the availability of the service remains unaffected (VA:N), the breach may lead to a limited exposure of sensitive information regarding subsequent or interconnected systems (SC:L).

Affected Software

VendorProductVersion RangeStatus
Ciser System SLCSIP firmware3.0 to 5.1affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Workarounds

If an immediate firmware update is not feasible, network-level controls must be implemented to reduce the attack surface:

  • Access Restriction: Limit access to the management or login panel using an Allowlist. All connection attempts from untrusted networks or the public internet must be strictly blocked.
  • Network Segmentation: Isolate the management interface within a dedicated management VLAN, accessible only through a secure corporate VPN.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References