CVE-2026-4289 is a SQL injection vulnerability identified in the Tiandy Easy7 Integrated Management Platform, specifically affecting versions from 7.0 through 7.17.0. The vulnerability resides in the REST API endpoint /rest/preSetTemplate/getRecByTemplateId, where the ID parameter is improperly sanitized, allowing an attacker to inject malicious SQL queries. This injection flaw can be exploited remotely without authentication or user interaction, making it highly accessible to attackers. The vulnerability impacts the confidentiality, integrity, and availability of the backend database by enabling unauthorized data access, modification, or deletion. The CVSS 4.0 base score is 6.9, reflecting medium severity due to the ease of exploitation and potential impact, but limited scope of data exposure. The vendor was notified but has not issued any patches or advisories, and no known exploits have been observed in the wild yet, though public exploit code exists. This lack of vendor response increases the risk for organizations relying on this platform. The vulnerability is critical for environments where the Easy7 platform manages sensitive or operational data, such as video surveillance or integrated management systems. Attackers could leverage this flaw to extract sensitive information, disrupt services, or pivot within the network.

The SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands on the backend database without authentication, potentially leading to unauthorized data disclosure, data manipulation, or deletion. This can compromise the confidentiality of sensitive information managed by the Easy7 platform, such as surveillance data or configuration details. Integrity of the system can be undermined by unauthorized changes to database records, potentially affecting system operations or decision-making processes. Availability may also be impacted if attackers execute destructive queries or cause database errors, leading to service disruption. Organizations using this platform in critical infrastructure, security monitoring, or enterprise environments face risks of data breaches, operational downtime, and reputational damage. The absence of vendor patches and public exploit disclosure increases the likelihood of exploitation attempts, especially by opportunistic attackers scanning for vulnerable instances.

Organizations should immediately audit their deployments of Tiandy Easy7 Integrated Management Platform to identify affected versions (7.0 through 7.17.0). Until an official patch is released, implement the following mitigations: 1) Restrict network access to the /rest/preSetTemplate/getRecByTemplateId endpoint using firewall rules or web application firewalls (WAF) to limit exposure to trusted IPs only. 2) Employ input validation and sanitization at the application or proxy level to block suspicious or malformed ID parameter values. 3) Monitor logs for unusual or repeated requests targeting this endpoint to detect exploitation attempts early. 4) If possible, isolate the Easy7 platform in a segmented network zone with minimal access to sensitive backend systems. 5) Regularly back up databases and configuration data to enable recovery if compromise occurs. 6) Engage with Tiandy support channels for updates and patches, and consider alternative solutions if vendor responsiveness remains absent. 7) Conduct penetration testing focused on SQL injection vectors to identify other potential injection points. These measures reduce attack surface and improve detection until a vendor patch is available.