CVE-2026-4287 is an SQL injection vulnerability identified in Tiandy Easy7 Integrated Management Platform version 7.17.0, specifically in the /rest/devStatus/queryResources API endpoint. The vulnerability arises from improper sanitization of the areaId parameter, allowing an unauthenticated remote attacker to inject malicious SQL queries. This can lead to unauthorized data access, modification, or deletion within the backend database. The attack vector requires no authentication or user interaction, making it highly accessible to remote attackers. The vendor was notified but has not responded or provided a patch, and exploit code has been publicly disclosed, increasing the likelihood of exploitation. The CVSS 4.0 base score is 6.9, reflecting medium severity due to network attack vector, low complexity, and no privileges or user interaction required, but with limited impact on confidentiality, integrity, and availability. The vulnerability affects version 7.17.0 of the Easy7 platform, which is used for integrated management in security and surveillance environments. Lack of vendor response and patch availability heightens the urgency for organizations to apply compensating controls.

If exploited, this SQL injection vulnerability could allow attackers to access sensitive information stored in the backend database, such as configuration data, user credentials, or surveillance metadata. Attackers might also modify or delete data, potentially disrupting system operations or corrupting logs and records. Given the platform's role in integrated management, such compromise could degrade the reliability and trustworthiness of security monitoring systems. The remote, unauthenticated nature of the exploit increases the risk of widespread attacks, especially if automated scanning and exploitation tools are used. Although no active exploitation has been reported, the public availability of exploit code and lack of vendor patching elevate the threat level. Organizations relying on this platform may face data breaches, operational disruptions, and increased exposure to further attacks leveraging compromised systems.

Since no official patch is available, organizations should implement immediate compensating controls. These include restricting network access to the affected API endpoint by using firewalls or network segmentation to limit exposure to trusted management networks only. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the areaId parameter. Conduct thorough input validation and sanitization on any custom integrations or proxies interacting with the platform. Monitor logs for suspicious queries or anomalies related to the /rest/devStatus/queryResources endpoint. If feasible, consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect SQL injection patterns. Engage with Tiandy support channels to request updates and patches, and plan for timely application once available. Additionally, maintain regular backups of configuration and database data to enable recovery in case of compromise.