CVE-2012-5863
published 2012-11-23CVE-2012-5863: These Sinapsi devices do not check for special elements in commands sent to the system. By accessing certain pages with administrative privileges that do not…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
24.82%
97.6th percentile
These Sinapsi devices do not check for special elements in commands sent
to the system. By accessing certain pages with administrative privileges
that do not require authentication within the device, attackers can
execute arbitrary, unexpected, or dangerous commands directly onto the
operating system.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sinapsi | esolar | < 2.0.2870_xxx_2.2.12 | 2.0.2870_xxx_2.2.12 |
| sinapsi | esolar_duo | < 2.0.2870_xxx_2.2.12 | 2.0.2870_xxx_2.2.12 |
| sinapsi | esolar_light | < 2.0.2870_xxx_2.2.12 | 2.0.2870_xxx_2.2.12 |
| sinapsitech | sinapsi_firmware | <= 2.0.2870 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sinapsi eSolar Light Photovoltaic System - Command Injection Attempt Inbound (CVE-2012-5863)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.php?"; content:"ping="; http.request_body; content:"ip_dominio"; fast_pattern; reference:cve,2012-5863; classtype:web-application-attack; sid:2061824; rev:1; metadata:attack_target Server, created_at 2025_04_23, cve CVE_2012_5863, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Command injection is triggered via HTTP POST to /ping.php?ping=ok with the 'ip_dominio' POST parameter containing unsanitized shell metacharacters (e.g., '&', '%26') to chain arbitrary OS commands. ↗
- →The vulnerable endpoint /ping.php requires no authenticated session; unauthenticated POST requests with 'ip_dominio' in the body should be treated as exploitation attempts. ↗
- →SQL injection against /dettagliinverter.php via the GET parameter 'inverterselect' can expose plaintext username/password combinations from the MySQL account table. ↗
- →Monitor for login attempts using the hard-coded credentials: password '36e44c9b64', password 'astridservice', or username/password 'sinapsi'/'sinapsi', regardless of the supplied username. ↗
- →Detect HTTP POST requests to /changelanguagesession.php with a manipulated 'lingua' POST parameter as a SQL injection vector. ↗
- ·The Snort/ET rule (sid:2061824) matches POST requests to /ping.php? with 'ip_dominio' in the body. Ensure HTTP inspection is enabled and the rule is deployed at both Perimeter and Internal sensors as indicated by the metadata.
- ·Hard-coded passwords are embedded in the PHP source of login.php and cannot be changed or removed by the user; detection must rely on network-level monitoring rather than credential rotation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Sinapsi Devices Vulnerabilities
cisa_ics·2012-10-10
Sinapsi Devices Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Sinapsi Devices Vulnerabilities
Last RevisedJanuary 10, 2020
Alert CodeICSA-12-325-01
## Overview
This advisory is a follow-up to the alert titled ICS-ALERT-12-284-01—Sinapsi eSolar Light Vulnerabilities that was published October 10, 2012.
Independent researchers Roberto Paleari and Ivan Speziale identified four vulnerabilities and released proof-of-concept (exploit) code for the Sinapsi eSolar Light Photovoltaic System Monitor without coordination with ICS-CERT, this vendor, or any other coordinating entity known to ICS-CERT.
The eSolar Light has also been sold with differen
GHSA
GHSA-44xp-g462-97fp: ping
ghsa_unreviewed·2022-05-17
CVE-2012-5863 [HIGH] CWE-78 GHSA-44xp-g462-97fp: ping
ping.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in the ip_dominio parameter.
Suricata
ET EXPLOIT Sinapsi eSolar Light Photovoltaic System - Command Injection Attempt Inbound (CVE-2012-5863)
suricata·2025-04-23·CVSS 10.0
CVE-2012-5863 [CRITICAL] ET EXPLOIT Sinapsi eSolar Light Photovoltaic System - Command Injection Attempt Inbound (CVE-2012-5863)
ET EXPLOIT Sinapsi eSolar Light Photovoltaic System - Command Injection Attempt Inbound (CVE-2012-5863)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sinapsi eSolar Light Photovoltaic System - Command Injection Attempt Inbound (CVE-2012-5863)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.php?"; content:"ping="; http.request_body; content:"ip_dominio"; fast_pattern; reference:cve,2012-5863; classtype:web-application-attack; sid:2061824; rev:1; metadata:attack_target Server, created_at 2025_04_23, cve CVE_2012_5863, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.htmlhttp://www.exploit-db.com/exploits/21273/http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88https://exchange.xforce.ibmcloud.com/vulnerabilities/80200https://www.cisa.gov/news-events/ics-advisories/icsa-12-325-01http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.htmlhttp://www.exploit-db.com/exploits/21273/http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/80202
2012-11-23
Published