CVE-2021-37291
published 2022-04-11CVE-2021-37291: An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the input_id POST parameter in index.php.
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.15%
94.1th percentile
An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the input_id POST parameter in index.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kevinlab | 4st_l-bems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes
0x5C,0x5A534C
- →Detect exploitation attempts by matching POST requests to /http/index.php containing the SQL injection error response string 'XPATH syntax error' combined with the marker string ':\ZSL1ZSL' in the response body.
- →Monitor POST requests to /http/index.php with Content-Type application/x-www-form-urlencoded containing the 'input_id' parameter with SQL injection payloads using EXTRACTVALUE and CONCAT functions (error-based SQLi technique).
- →Flag login requests where the 'input_id' JSON parameter value contains a single quote followed by AND EXTRACTVALUE, indicating error-based blind SQL injection against the login endpoint.
- ·The vulnerability is unauthenticated — no prior session or credentials are required to exploit the SQL injection via the input_id POST parameter.
- ·The SQL injection uses an error-based technique (EXTRACTVALUE with XPATH) rather than blind/time-based, so detection should focus on XPATH syntax error strings in HTTP responses as a confirmation signal.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8h2j-x64q-v264: An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1
ghsa_unreviewed·2022-04-12
CVE-2021-37291 [CRITICAL] CWE-89 GHSA-8h2j-x64q-v264: An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1
An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the input_id POST parameter in index.php.
VulnCheck
kevinlab 4st_l-bems Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-37291 [CRITICAL] kevinlab 4st_l-bems Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
kevinlab 4st_l-bems Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the input_id POST parameter in index.php.
Affected: kevinlab 4st_l-bems
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2021-37291; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2021-37291; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabi
No detection rules found.
Nuclei
KevinLAB BEMS 1.0 - SQL Injection
nuclei·CVSS 9.8
CVE-2021-37291 [CRITICAL] KevinLAB BEMS 1.0 - SQL Injection
KevinLAB BEMS 1.0 - SQL Injection
KevinLAB BEMS 1.0 contains a SQL injection vulnerability. Input passed through input_id POST parameter in /http/index.php is not properly sanitized before being returned to the user or used in SQL queries. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2021-37291
info:
name: KevinLAB BEMS 1.0 - SQL Injection
author: gy741
severity: critical
description: |
KevinLAB BEMS 1.0 contains a SQL injection vulnerability. Input passed through input_id POST parameter in /http/index.php is not properly sanitized before being returned to the user or used in SQL queries. An attacker can possibly obtain sensitive information f
No writeups or analysis indexed.
2022-04-11
Published
Exploited in the wild