cbcvebase.
CVE-2021-37291
published 2022-04-11

CVE-2021-37291: An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the input_id POST parameter in index.php.

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.15%
94.1th percentile
An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the input_id POST parameter in index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
kevinlab4st_l-bems

Detection & IOCsextracted from sources · hover to see the quote

path/http/index.php
bytes
0x5C,0x5A534C
  • Detect exploitation attempts by matching POST requests to /http/index.php containing the SQL injection error response string 'XPATH syntax error' combined with the marker string ':\ZSL1ZSL' in the response body.
  • Monitor POST requests to /http/index.php with Content-Type application/x-www-form-urlencoded containing the 'input_id' parameter with SQL injection payloads using EXTRACTVALUE and CONCAT functions (error-based SQLi technique).
  • Flag login requests where the 'input_id' JSON parameter value contains a single quote followed by AND EXTRACTVALUE, indicating error-based blind SQL injection against the login endpoint.
  • ·The vulnerability is unauthenticated — no prior session or credentials are required to exploit the SQL injection via the input_id POST parameter.
  • ·The SQL injection uses an error-based technique (EXTRACTVALUE with XPATH) rather than blind/time-based, so detection should focus on XPATH syntax error strings in HTTP responses as a confirmation signal.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.