SQL Injection in Ciser System SL firmware
CSIP firmware versions from 3.0 to 5.1.
INCIBE has coordinated the publication of a high severity vulnerability in Ciser System SL firmware, a telecommunications company. The vulnerability was discovered by Ciser System SL.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2026-2584: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:N/SA:N | CWE-89
1. Immediate Action (Workarounds)
- If an immediate firmware update is not feasible, network-level controls must be implemented to reduce the attack surface:
- Access Restriction: Limit access to the management or login panel using an Allowlist. All connection attempts from untrusted networks or the public internet must be strictly blocked.
- Network Segmentation: Isolate the management interface within a dedicated management VLAN, accessible only through a secure corporate VPN.
2. Permanent Solution (Remediation)
- The vulnerability has been fixed by the vendor through improved input validation logic and parameterized queries:
- It is recommended to update to firmware version 5.3 or higher. This version mitigates the risk by ensuring that SQL queries are handled securely, effectively neutralizing the injection vector.
CVE-2026-2584: a critical SQL Injection (SQLi) vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker (AV:N/PR:N) can exploit this flaw by sending specially crafted SQL queries through the login interface. Due to low attack complexity (AC:L) and the absence of specific requirements (AT:N), the vulnerability allows for a total compromise of the system's configuration data (VC:H/VI:H). While the availability of the service remains unaffected (VA:N), the breach may lead to a limited exposure of sensitive information regarding subsequent or interconnected systems (SC:L).
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
