CVE-2019-10852

Vulnerability

Computrols CBAS version 18.0.0 contains an authenticated blind SQL injection vulnerability in the id GET parameter of the index.php?m=servers&a=start_pulling endpoint. The parameter is not sanitized before being used in a database query, allowing an attacker with valid credentials to inject arbitrary SQL statements. This issue was disclosed by Applied Risk [1] and a proof-of-concept exploit has been published [3].

Exploitation

An attacker must first authenticate to the CBAS web interface. Once authenticated, they can craft a malicious id parameter value containing SQL injection payloads. Because the injection is blind, the attacker typically uses time-based or boolean-based techniques to infer information from the database. The exploit details are available in the public advisory [2] and the Packet Storm posting [3].

Impact

Successful exploitation allows an authenticated attacker to extract arbitrary data from the underlying database, including user credentials, configuration details, and other sensitive information. This compromises the confidentiality of the system and could lead to further attacks against the building automation network.

Mitigation

As of the publication date, no official patch has been released by Computrols. Users are advised to upgrade to a patched version if one becomes available, or to implement input validation and parameterized queries as a workaround. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. The advisory [1] and exploit details [3] provide further guidance.