CVE-2026-5012 is an OS command injection vulnerability affecting elecV2 elecV2P software versions 3.8.0 through 3.8.3. The vulnerability resides in the pm2run function within the /rpc endpoint, which improperly sanitizes input parameters, allowing an attacker to inject and execute arbitrary operating system commands remotely. This flaw requires no authentication or user interaction, making it highly accessible to attackers. The vulnerability was responsibly disclosed but remains unpatched as of the publication date. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploitability is high due to the lack of authentication and ease of injection, potentially enabling attackers to compromise affected systems fully. The absence of vendor response and patch availability increases the risk window. While no known active exploitation campaigns have been reported, the public availability of an exploit raises the likelihood of imminent attacks. The vulnerability primarily threatens systems running elecV2P in the specified versions, which may be deployed in various organizational environments, including industrial, IoT, or automation contexts where elecV2 is used. The lack of segmentation or exposure of the /rpc endpoint to untrusted networks exacerbates the risk.

The impact of CVE-2026-5012 is significant due to its ability to allow remote, unauthenticated attackers to execute arbitrary OS commands on vulnerable elecV2P systems. Successful exploitation can lead to full system compromise, including data theft, service disruption, or use of the system as a foothold for further network intrusion. Confidentiality is at risk as attackers may access sensitive data or credentials. Integrity can be compromised by unauthorized modification or deletion of files and configurations. Availability may be affected if attackers disrupt critical services or deploy ransomware or destructive payloads. Organizations relying on elecV2P for automation or operational technology could face operational downtime, financial losses, and reputational damage. The medium CVSS score reflects moderate but tangible risk, especially given the lack of vendor mitigation and public exploit code. The vulnerability's remote and unauthenticated nature increases its threat potential, making it attractive for attackers targeting exposed or poorly secured deployments.

1. Immediate mitigation should focus on restricting network access to the /rpc endpoint, ideally limiting it to trusted internal networks or VPNs to reduce exposure. 2. Implement strict input validation and sanitization at the application or proxy level to block malicious command injection payloads targeting pm2run. 3. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious command injection attempts against elecV2P endpoints. 4. Monitor system and application logs for unusual command executions or unexpected process launches indicative of exploitation attempts. 5. If possible, disable or isolate the pm2run functionality until a vendor patch is released. 6. Engage with the vendor or community to obtain or develop patches or updates addressing this vulnerability. 7. Conduct thorough security assessments of all elecV2P deployments to identify exposed instances and remediate accordingly. 8. Educate operational teams about the risks and signs of exploitation to enable rapid incident response. 9. Consider network segmentation to isolate elecV2P systems from critical infrastructure and limit lateral movement in case of compromise.