Full Report
CERT Polska has received a report about 3 vulnerabilities (CVE-2026-4901, CVE-2026-34184, CVE-2026-34185) found in Hydrosystem Control System software.
Analysis Summary
# Vulnerability: Multiple Flaws in Hydrosystem Control System
## CVE Details
- **CVE ID:** CVE-2026-4901, CVE-2026-34184, CVE-2026-34185
- **CVSS Score:** Not explicitly provided in the source (Typically High/Critical for ICS environments with SQLi and Auth Bypass)
- **CWE:**
- CWE-532: Insertion of Sensitive Information into Log File
- CWE-862: Missing Authorization
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
## Affected Systems
- **Products:** Hydrosystem Control System
- **Versions:** All versions prior to 9.8.5
- **Configurations:** Systems where web-accessible directories are reachable without network segmentation.
## Vulnerability Description
Three distinct vulnerabilities impact the Hydrosystem Control System:
1. **CVE-2026-4901:** The application logs sensitive user credentials into log files.
2. **CVE-2026-34184:** The system fails to enforce authorization on specific directories. This allows an unauthenticated attacker to read files and execute scripts (including PHP scripts) directly against the connected database.
3. **CVE-2026-34185:** A pervasive SQL Injection vulnerability exists across most scripts and input parameters, allowing authenticated users to execute arbitrary SQL commands.
**Chaining Potential:** An unauthorized attacker can use CVE-2026-34184 to access the logs containing credentials (CVE-2026-4901), escalate to an authenticated session, and then use CVE-2026-34185 to gain full database control.
## Exploitation
- **Status:** Reported to CERT Polska; no evidence of exploitation in the wild mentioned.
- **Complexity:** Low (Lack of protection/missing authorization).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Access to user credentials and full database contents).
- **Integrity:** High (Ability to execute arbitrary SQL commands and scripts).
- **Availability:** High (Potential for database manipulation or system disruption).
## Remediation
### Patches
- **Update to Version 9.8.5** or later. This version addresses the logging of sensitive data, enforces directory authorization, and mitigates SQL injection paths.
### Workarounds
- **Network Segmentation:** Ensure the Control System is not accessible from the public internet.
- **Access Control:** Implement strict IP whitelisting for the web interface and directories.
- **Log Management:** Restrict filesystem permissions to log directories to administrative users only.
## Detection
- **Indicators of Compromise:**
- Unusual PHP execution patterns in web server logs.
- Presence of SQL syntax (e.g., `' OR 1=1`, `UNION SELECT`) in URL parameters or POST bodies.
- Unauthorized access attempts to sensitive directories.
- **Detection methods and tools:**
- Monitor web server access logs for unauthorized status codes (200 OK where 403 Forbidden is expected).
- Use SIEM rules to flag access to sensitive log files (.log, .txt) via the web server.
## References
- **CERT Polska Advisory:** hxxps[://]cert[.]pl/en/posts/2026/04/vulnerabilities-in-hydrosystem-control-system/
- **CVD Policy:** hxxps[://]cert[.]pl/en/cvd/
- **CVE Records:**
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-4901
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-34184
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-34185