_explained / acrel-power-platform-sql-injection-critical-infrastructure
HIGH PLAIN ENGLISH 5 min read

A Hidden Flaw in Power Grid Software Could Let Hackers Read Everything — and No One Patched It

A critical vulnerability in cloud software managing electrical infrastructure exposes sensitive operational data to remote attackers. No fix exists yet, and the vendor went silent.

2026-05-03 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

The software quietly managing power distribution for buildings, factories, and facilities across multiple countries has a serious security hole — one the manufacturer was warned about and chose to ignore.

Who's at Risk — and Why It Matters

Acrel Electrical's EEMS (Enterprise Energy Management System) platform is a cloud-based tool used by facility operators, industrial sites, and building managers to monitor and control electrical systems in real time. We're talking about the kind of software that tracks circuit load, flags power anomalies, and logs energy consumption for everything from hospital wings to factory floors.

The vulnerability affects version 1.3.0 of the platform, and there is currently no patch available. Security researchers disclosed the flaw publicly after the vendor failed to respond to private notification — a process known in the industry as responsible disclosure. That silence forced researchers' hands, and now the details are out in the open, available to anyone, including the wrong people.

With critical infrastructure software, the stakes aren't just data breaches. Unauthorized access to an energy management platform can mean visibility into facility power layouts, operational schedules, and equipment thresholds — a reconnaissance goldmine for anyone planning something worse.

How the Attack Works — No Jargon Required

Imagine a filing cabinet at a company that anyone can walk up to. There's a slot on the front labeled "search here" — you type in a circuit ID number, and the cabinet spits out the matching power records. Now imagine if, instead of typing a normal number, you typed a carefully crafted string of characters that tricks the cabinet into opening every drawer and handing you everything inside. That's essentially what's happening here.

The EEMS platform has a feature that retrieves maximum, minimum, and average electrical values for specific circuits. To do that, it accepts an identifier — a circuit ID — from whoever is asking. The problem is the platform doesn't properly check whether what's being submitted is actually a circuit ID, or something more sinister. An attacker can inject malicious commands directly into that input field, and the database on the other end will execute them without question.

What makes this particularly dangerous is that the attack can be launched remotely, over the internet, with no need to be physically present or already inside the network. If the platform is reachable from the public web — as cloud platforms often are — an attacker needs nothing more than a browser and knowledge of the flaw. They can potentially extract usernames, passwords, operational data, and configuration details from the underlying database in minutes.

The Technical Detail Security Teams Need to Know

The vulnerable endpoint is /SubstationWEBV2/main/elecMaxMinAvgValue, and the injection occurs through the fCircuitids parameter. This is a classic SQL injection vulnerability — specifically an unsanitized parameter passed directly into a database query with no apparent input validation or parameterized query protection. The flaw carries a CVSS score of 7.3 (HIGH), and crucially, available indicators suggest the endpoint may be accessible without authentication, meaning there's no login barrier standing between an attacker and the vulnerable query path. Network defenders should prioritize blocking or monitoring requests to this endpoint immediately.

Has Anyone Exploited This Yet?

As of publication, there is no confirmed active exploitation in the wild. However, that window is closing fast. The exploit details have been publicly disclosed — meaning they're available on vulnerability tracking platforms and researcher forums right now. In the security world, the gap between "publicly disclosed" and "actively exploited" is often measured in days, not weeks, especially for industrial and infrastructure-adjacent software that organizations are slow to update.

The discovery was made by an external security researcher who followed responsible disclosure practices — notifying the vendor before going public. Acrel Electrical did not respond. That non-response left the researcher with limited options: stay silent indefinitely (protecting a broken product at the expense of the public) or publish and let administrators defend themselves. They chose the latter.

No specific campaigns, threat groups, or known victims have been linked to this vulnerability at this time. But energy management platforms are a known target category. In 2021 and 2022, multiple threat actors — including state-sponsored groups — specifically targeted building and energy management systems as entry points into broader operational technology environments.

What You Should Do Right Now

If your organization uses Acrel EEMS, take these three steps immediately:

  1. Audit your exposure. Check whether your EEMS platform (specifically version 1.3.0) is accessible from the public internet. Use your firewall or network access controls to restrict access to the /SubstationWEBV2/ application path to trusted IP addresses only. If your deployment doesn't need to be internet-facing, take it offline from public access entirely until a patch is available.
  2. Monitor for suspicious queries. Enable logging on the database layer and web application layer if you haven't already. Look specifically for anomalous inputs to the fCircuitids parameter — things like SQL keywords (SELECT, UNION, --, single quotes) appearing in request logs. A web application firewall (WAF) with SQL injection rules enabled can help block exploitation attempts in the interim.
  3. Contact Acrel and demand a patch timeline. Push your vendor directly — via support tickets, account managers, and if necessary, formal written notice. Document everything. If Acrel continues to be unresponsive and your organization relies on this platform for critical operations, escalate to your legal or procurement teams about contractual security obligations. In the meantime, check Acrel's official channels for any emergency updates or advisories related to version 1.3.0.

CVE-2026-7695 was assigned a CVSS score of 7.3 (HIGH). The vulnerability affects Acrel EEMS version 1.3.0. No patch has been issued at time of publication. Organizations in critical infrastructure sectors should treat this as a priority item regardless of confirmed exploitation status.

// TOPICS
#sql-injection#cloud-platform#parameter-manipulation#unauthenticated-access#critical-infrastructure
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.