Cyber Resilience

CVE-2026-2621

Medium

Published: 17 February 2026

Published
17 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2621 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-2621 is a SQL injection vulnerability in the Sciyon Koyuan Thermoelectricity Heat Network Management System version 3.0. The issue resides in an unknown part of the file /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx, where manipulation of the PGUID argument triggers the injection. Associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity.

The vulnerability enables remote exploitation without authentication or user interaction. Attackers with network access can send crafted requests to the affected endpoint, potentially extracting sensitive data, modifying database contents, or disrupting service availability, albeit with low impact levels across confidentiality, integrity, and availability.

Advisories from VulDB (ctiid.346272, id.346272, submit.751809) and a GitHub repository detail the proof-of-concept exploit, which has been publicly disclosed. The vendor was notified early but provided no response, and no patches or mitigations are referenced.

The exploit is available publicly and may be actively used, targeting critical infrastructure like heat network management systems.

EU & UK References

Vulnerability details

A security vulnerability has been detected in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0. This affects an unknown part of the file /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx. The manipulation of the argument PGUID leads to sql injection. The attack can be initiated remotely.…

more

The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

SQL injection in unauthenticated public-facing web endpoint directly enables remote exploitation (T1190); crafted queries allow direct collection from the backend database (T1213.006) and stored data manipulation (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7173Shared CWE-74, CWE-89
CVE-2025-1894Shared CWE-74, CWE-89
CVE-2025-2654Shared CWE-74, CWE-89
CVE-2025-2738Shared CWE-74, CWE-89
CVE-2025-0562Shared CWE-74, CWE-89
CVE-2025-2740Shared CWE-74, CWE-89
CVE-2026-4473Shared CWE-74, CWE-89
CVE-2025-2386Shared CWE-74, CWE-89
CVE-2025-2660Shared CWE-74, CWE-89
CVE-2025-0536Shared CWE-74, CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs such as the PGUID parameter before they are used in SQL statements, blocking the injection vector in AsyncTreeProxy.aspx.

prevent

Enforces access-control checks prior to processing requests to the unauthenticated endpoint, preventing anonymous attackers from reaching the vulnerable SQL code path.

detect

Enables continuous monitoring and anomaly detection on web-application traffic and database queries to identify crafted PGUID payloads indicative of SQL injection attempts.

References