CVE-2026-7698
Published: 03 May 2026
Summary
CVE-2026-7698 is a high-severity Command Injection (CWE-77) vulnerability in Feishu (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by validating the untrusted 'week' argument in the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint.
Requires timely remediation of the identified command injection flaw in Tiandy Easy7 version 7.17.0 to eliminate exploitability.
Enforces authentication and authorization to block unauthenticated remote access to the vulnerable REST endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in unauthenticated public-facing web endpoint directly enables T1190 (Exploit Public-Facing Application) and results in arbitrary OS command execution via T1059 (Command and Scripting Interpreter).
NVD Description
A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely.…
more
The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-7698 is an OS command injection vulnerability affecting Tiandy Easy7 Integrated Management Platform version 7.17.0. The issue resides in an unknown functionality of the /Easy7/rest/systemInfo/updateDbBackupInfo file, where manipulation of the "week" argument enables arbitrary command execution. Classified under CWE-77 and CWE-78, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-05-03.
The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the underlying system. A public exploit is available, increasing the risk of widespread abuse.
VulDB advisories, linked in the references, document the issue but note that the vendor was contacted early without any response or patch release. No official mitigations or updates from Tiandy are mentioned.
Notable context includes the public availability of the exploit, which might already be in use by attackers targeting exposed instances of the platform.
Details
- CWE(s)