What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Vulnerability

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/4/2026

The Grid Just Opened Up: Acrel EEMS SQL Injection Puts Critical Energy Management at Risk

TL;DR

Acrel Electrical's EEMS (Enterprise Power Operation and Maintenance Cloud Platform) v1.3.0 contains a publicly disclosed, unauthenticated SQL injection (CVE-2026-7695, CVSS 7.3) in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint. Attackers with network access can extract, modify, or delete power monitoring data—turning critical infrastructure visibility into a blind spot.

What Happened

On May 3, 2026, security researchers disclosed a remote SQL injection vulnerability in Acrel Electrical's EEMS platform, a cloud-based system trusted by utilities, industrial facilities, and energy management operators across Asia and beyond. The flaw allows unauthenticated remote attackers to:

Extract sensitive power grid operational data (circuit identifiers, voltage readings, demand forecasts)
Modify circuit configurations and monitoring parameters
Potentially corrupt or delete historical records needed for compliance and incident investigation

The vulnerability affects the fCircuitids parameter in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint—a function that should be trusted to return accurate grid metrics. Instead, attackers can inject SQL payloads directly into this circuit identifier field.

Disclosure Status: Public PoC available. Vendor contacted but has not responded with a patch.

Technical Details

Attack Vector: Network-based, unauthenticated, no user interaction required

Affected Parameter: fCircuitids in /SubstationWEBV2/main/elecMaxMinAvgValue

CWE: CWE-89 (SQL Injection)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Impact Breakdown:

Confidentiality (Low): Database contents can be exfiltrated, revealing power demand patterns, circuit topology, and operational telemetry
Integrity (Low): Attackers can modify stored values, causing monitoring inconsistencies and data poisoning
Availability (Low): Query manipulation may cause database timeouts, triggering false alarms or system slowdowns

The "low" impact is misleading for critical infrastructure. In power management systems, even limited data manipulation can cause:

Blind spots in grid visibility
Incorrect load forecasting
Delayed incident response (corrupted historical data)
Trust erosion in automated decision systems that rely on accurate telemetry

Lyrie Assessment: Why CISOs Should Care

1. The OT-Cloud Convergence Risk

Acrel EEMS is deployed in hybrid environments—on-premises industrial networks connected to cloud management platforms. A single SQL injection at the cloud boundary now compromises the entire data pipeline. For security teams defending critical infrastructure, this means:

Your energy telemetry can no longer be trusted without independent verification
Attackers don't need to breach the substation itself; they can poison data from the cloud perimeter
Incident response teams may have corrupted or incomplete logs when investigating breaches

2. The Speed Asymmetry Problem

Traditional SQL injection requires attacker reconnaissance, payload tuning, error-based discovery. This flaw compresses that timeline to seconds:

No authentication = no delay waiting for credentials
Parameter injection is direct and obvious
Database feedback via SQL errors provides immediate confirmation
Once in, attackers can automate data extraction across all circuits

In critical infrastructure, this speed gap means your detection windows are now tighter than your patch windows.

3. Supply Chain Poisoning via OT Data

If Acrel EEMS data feeds downstream systems (SCADA dashboards, demand-response platforms, billing systems), corrupted SQL records propagate downstream. You may be:

Sending incorrect power allocations to grid operators
Triggering false alarms in automated response systems
Corrupting audit trails needed for regulatory compliance (NIS2, NERC, ISO 27001)

4. The Attribution Fog

Unlike code-level exploits that leave forensic signatures, SQL injection in a database leaves ambiguous logs. You may not know whether data was read, modified, or deleted without prior baselining. This makes incident detection harder and post-incident forensics nearly impossible.

Recommended Actions

IMMEDIATE (Next 24 hours):

1. Audit Network Exposure

- Identify all Acrel EEMS instances with internet-facing endpoints

- Check firewall rules, WAF deployments, and network segmentation

- Look for any access logs to /SubstationWEBV2/main/elecMaxMinAvgValue (suspicious patterns: SQL metacharacters, union/select keywords, quotation marks in parameters)

2. Enable Web Application Firewall (WAF) Rules

- Deploy OWASP SQLi patterns against the affected endpoint

- Block requests containing: union, select, --, /**/, xp_, sp_, hex-encoded payloads

- Log all blocks for forensic review

3. Baseline Database Queries

- Query your Acrel EEMS database for unusual entries in the circuit table

- Cross-reference circuit IDs with known infrastructure (should be stable)

- Flag any recent modifications to circuit configs or monitoring parameters

SHORT-TERM (This Week):

4. Vendor Patch Monitoring

- Contact Acrel Electrical directly for patch timeline

- If no patch is forthcoming within 48 hours, escalate to CISA via industry coordinating bodies

- Prepare compensating controls (network isolation, API rate limiting)

5. Lateral Movement Assessment

- If EEMS was compromised, assume attackers may have pivoted to SCADA, EMS, or billing systems

- Review authentication logs for unusual admin access or token issuance

- Check for privilege escalation attempts in connected systems

LONG-TERM (Strategic):

6. Zero-Trust Architecture for OT/Cloud Boundary

- Implement data validation layers between Acrel EEMS and downstream systems

- Use cryptographic commitments (SHA-256 checksums) for circuit telemetry

- Deploy autonomous anomaly detection that flags data consistency violations in real-time

7. Incident Response Refresh

- Update your IR playbook to assume OT data may be poisoned

- Establish independent verification channels for critical metrics (physical substation sensors, third-party monitoring)

- Practice recovery from corrupted OT databases without losing audit context

Sources

1. CVE-2026-7695 Alert - RedPacket Security

2. VulDB CVE-2026-7695 Details

3. Acrel Electrical EEMS Platform Documentation (Chinese manufacturer; product widely deployed in Asia-Pacific)

Lyrie.ai Cyber Research Division

Lyrie Verdict

Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.

originals

Pattern alert: 13 recent advisories converge on 0day

1 min read · 5 sources