cbcvebase.
CVE-2012-5864
published 2012-11-23

CVE-2012-5864: These Sinapsi devices do not check if users that visit pages within the device have properly authenticated. By directly visiting the pages within the device…

PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
4.91%
91.0th percentile
These Sinapsi devices do not check if users that visit pages within the device have properly authenticated. By directly visiting the pages within the device, attackers can gain unauthorized access with administrative privileges.

Affected

4 ranges
VendorProductVersion rangeFixed in
sinapsiesolar< 2.0.2870_xxx_2.2.122.0.2870_xxx_2.2.12
sinapsiesolar_duo< 2.0.2870_xxx_2.2.122.0.2870_xxx_2.2.12
sinapsiesolar_light< 2.0.2870_xxx_2.2.122.0.2870_xxx_2.2.12
sinapsitechsinapsi_firmware<= 2.0.2870

Detection & IOCsextracted from sources · hover to see the quote

path/dettagliinverter.php
path/changelanguagesession.php
path/ping.php
path/login.php
commandcurl "http:///ping.php?ping=ok" -d "ip_dominio=192.168.1.1 -n 1 %26 dir"
otherhardcoded password: astridservice (stilecustumization=astrid)
otherhardcoded password: 36e44c9b64 (crypt hash satIZufhIrUfk)
otherhardcoded account: username=sinapsi, password=sinapsi (crypt hash saF8bay.tvfOk)
  • Monitor for unauthenticated HTTP GET requests to /dettagliinverter.php with the 'inverterselect' parameter containing SQL metacharacters (quotes, UNION, SELECT, etc.), indicating SQL injection attempts.
  • Monitor for HTTP POST requests to /changelanguagesession.php with the 'lingua' parameter containing SQL metacharacters, indicating SQL injection attempts.
  • Monitor for HTTP POST requests to /ping.php with the 'ip_dominio' parameter containing shell metacharacters such as '&', ';', '|', or '%26', indicating OS command injection attempts.
  • Alert on unauthenticated access to sensitive management pages (e.g., ping.php, dettagliinverter.php) — the device does not enforce session authentication on these pages, so any direct access without a prior login sequence is suspicious.
  • Detect login attempts using the hardcoded credentials 'astridservice', '36e44c9b64', or 'sinapsi'/'sinapsi' against the device's login.php page.
  • ·All firmware versions prior to 2.0.2870_xxx_2.2.12 are affected; the hardcoded credentials and vulnerable pages exist in the PHP files and cannot be patched by users — only a firmware update resolves them.
  • ·The same vulnerable management server firmware is shared across multiple OEM brands (Schneider Electric Ezylog and others), so the same IOCs and attack paths apply to rebranded products beyond Sinapsi.
  • ·Passwords in the SQL database are stored in plain text, meaning successful SQL injection against dettagliinverter.php directly yields cleartext credentials.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.