Cyber Resilience

CVE-2026-7698

Medium

Published: 03 May 2026

Published
03 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0209 84.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7698 is a medium-severity Command Injection (CWE-77) vulnerability in Feishu (inferred from references). Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability identified as CVE-2026-7698 affects Tiandy Easy7 Integrated Management Platform version 7.17.0. It resides in an unspecified function of the file /Easy7/rest/systemInfo/updateDbBackupInfo, where improper handling of the week argument enables OS command injection. The issue is tracked under CWE-77 and CWE-78, carries a CVSS 4.0 score of 5.5, and can be triggered remotely without authentication.

Remote, unauthenticated attackers can leverage the flaw to execute arbitrary operating system commands on the affected system. A publicly available exploit exists, and the vendor was notified prior to disclosure but provided no response or remediation.

The associated EPSS score remains low, with a current value of 0.0209 and a peak of 0.0214, indicating limited observed exploitation interest to date. The listed references consist primarily of vulnerability database entries and do not include vendor advisories or patch guidance.

EU & UK References

Vulnerability details

A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely.…

more

The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection in unauthenticated public-facing web endpoint directly enables T1190 (Exploit Public-Facing Application) and results in arbitrary OS command execution via T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59736Shared CWE-77, CWE-78
CVE-2025-44015Shared CWE-77, CWE-78
CVE-2025-59740Shared CWE-77, CWE-78
CVE-2026-4585Shared CWE-77, CWE-78
CVE-2026-1544Shared CWE-77, CWE-78
CVE-2025-1536Shared CWE-77, CWE-78
CVE-2025-15501Shared CWE-77, CWE-78
CVE-2026-9452Shared CWE-77, CWE-78
CVE-2026-4170Shared CWE-77, CWE-78
CVE-2026-7062Shared CWE-77, CWE-78

Affected Assets

Feishu
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by validating the untrusted 'week' argument in the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint.

prevent

Requires timely remediation of the identified command injection flaw in Tiandy Easy7 version 7.17.0 to eliminate exploitability.

prevent

Enforces authentication and authorization to block unauthenticated remote access to the vulnerable REST endpoint.

References