Home

Description

Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a command injection vulnerability in the optional cli_control plugin that allows unauthenticated or cross-site request forgery attackers to execute arbitrary operating-system commands by storing a malicious payload via the plugin's HTTP endpoint. Attackers can trigger execution by activating the associated irrigation station, exploiting the absence of passphrase protection or the default passphrase 'opendoor', to achieve arbitrary command execution on the underlying host.

PUBLISHED Reserved 2026-06-30 | Published 2026-07-14 | Updated 2026-07-14 | Assigner VulnCheck




CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

Any version
affected

Credits

Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/ (Zero Science Lab Advisory (ZSL-2026-5999)) technical-description exploit

www.vulncheck.com/...ia-cli-control-plugin-command-injection third-party-advisory

cve.org (CVE-2026-58479)

nvd.nist.gov (CVE-2026-58479)

Download JSON