cbcvebase.
CVE-2012-5863
published 2012-11-23

CVE-2012-5863: These Sinapsi devices do not check for special elements in commands sent to the system. By accessing certain pages with administrative privileges that do not…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
24.82%
97.6th percentile
These Sinapsi devices do not check for special elements in commands sent to the system. By accessing certain pages with administrative privileges that do not require authentication within the device, attackers can execute arbitrary, unexpected, or dangerous commands directly onto the operating system.

Affected

4 ranges
VendorProductVersion rangeFixed in
sinapsiesolar< 2.0.2870_xxx_2.2.122.0.2870_xxx_2.2.12
sinapsiesolar_duo< 2.0.2870_xxx_2.2.122.0.2870_xxx_2.2.12
sinapsiesolar_light< 2.0.2870_xxx_2.2.122.0.2870_xxx_2.2.12
sinapsitechsinapsi_firmware<= 2.0.2870

Detection & IOCsextracted from sources · hover to see the quote

url/dettagliinverter.php?primo=primo&inverterselect=3
path/ping.php
path/dettagliinverter.php
path/changelanguagesession.php
commandcurl "http:///ping.php?ping=ok" -d "ip_dominio=192.168.1.1 -n 1 %26 dir"
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sinapsi eSolar Light Photovoltaic System - Command Injection Attempt Inbound (CVE-2012-5863)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.php?"; content:"ping="; http.request_body; content:"ip_dominio"; fast_pattern; reference:cve,2012-5863; classtype:web-application-attack; sid:2061824; rev:1; metadata:attack_target Server, created_at 2025_04_23, cve CVE_2012_5863, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Command injection is triggered via HTTP POST to /ping.php?ping=ok with the 'ip_dominio' POST parameter containing unsanitized shell metacharacters (e.g., '&', '%26') to chain arbitrary OS commands.
  • The vulnerable endpoint /ping.php requires no authenticated session; unauthenticated POST requests with 'ip_dominio' in the body should be treated as exploitation attempts.
  • SQL injection against /dettagliinverter.php via the GET parameter 'inverterselect' can expose plaintext username/password combinations from the MySQL account table.
  • Monitor for login attempts using the hard-coded credentials: password '36e44c9b64', password 'astridservice', or username/password 'sinapsi'/'sinapsi', regardless of the supplied username.
  • Detect HTTP POST requests to /changelanguagesession.php with a manipulated 'lingua' POST parameter as a SQL injection vector.
  • ·The Snort/ET rule (sid:2061824) matches POST requests to /ping.php? with 'ip_dominio' in the body. Ensure HTTP inspection is enabled and the rule is deployed at both Perimeter and Internal sensors as indicated by the metadata.
  • ·Hard-coded passwords are embedded in the PHP source of login.php and cannot be changed or removed by the user; detection must rely on network-level monitoring rather than credential rotation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.