CVE-2012-5861 in Esolar Duo Photovoltaic System Monitor
Summary
by MITRE
Multiple SQL injection vulnerabilities on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allow remote attackers to execute arbitrary SQL commands via (1) the inverterselect parameter in a primo action to dettagliinverter.php or (2) the lingua parameter to changelanguagesession.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/08/2025
The CVE-2012-5861 vulnerability represents a critical security flaw in Schneider Electric's Ezylog photovoltaic SCADA management server and related Sinapsi eSolar monitoring systems. This vulnerability affects multiple devices including the Sinapsi eSolar Light Photovoltaic System Monitor, Sinapsi eSolar, and Sinapsi eSolar DUO models with firmware versions prior to 2.0.2870_2.2.12. The vulnerability stems from inadequate input validation and sanitization within the web interface components of these industrial monitoring systems, which are commonly deployed in solar energy installations for remote monitoring and control of photovoltaic systems.
The technical flaw manifests through two distinct SQL injection attack vectors that exploit improper parameter handling in the web application's backend. The first vulnerability occurs in the primo action of the dettagliinverter.php script where the inverterselect parameter is not properly sanitized before being incorporated into SQL queries. The second vulnerability exists in the changelanguagesession.php script where the lingua parameter lacks adequate input validation, allowing attackers to manipulate database queries through maliciously crafted input. Both attack vectors enable remote exploitation without requiring authentication, making these vulnerabilities particularly dangerous in industrial environments where such systems are often accessible over networks.
The operational impact of this vulnerability extends beyond simple data theft or modification, as it provides attackers with complete database access and execution capabilities. Successful exploitation allows adversaries to execute arbitrary SQL commands, potentially leading to full system compromise, data exfiltration, and disruption of critical solar energy monitoring operations. Industrial control systems like the Ezylog platform are often deployed in remote locations with limited physical security, making network-based attacks particularly concerning. The vulnerability affects the integrity and availability of solar energy monitoring data, which could impact operational decisions, maintenance scheduling, and overall system performance. According to CWE classification, this vulnerability maps to CWE-89 SQL Injection, which is a well-documented weakness in web application security that frequently appears in industrial control systems due to legacy code implementation and insufficient security testing.
The attack surface for this vulnerability is particularly concerning given that these monitoring systems are often connected to the internet and may be accessed by multiple users including system administrators, energy providers, and third-party monitoring services. The remote nature of the exploitation means that attackers can target these systems from anywhere with network connectivity, without requiring physical access or insider knowledge. From an ATT&CK framework perspective, this vulnerability enables initial access and privilege escalation capabilities, potentially allowing attackers to establish persistent access to critical infrastructure monitoring systems. Organizations implementing these systems face significant risk of operational disruption and potential safety hazards if attackers gain control over the monitoring data or manipulate system parameters.
Mitigation strategies for CVE-2012-5861 should prioritize immediate firmware updates to versions 2.0.2870_2.2.12 or later, which contain the necessary patches to address the SQL injection vulnerabilities. Network segmentation should be implemented to limit access to these monitoring systems, restricting access to authorized personnel only through secure network connections. Input validation and parameterized queries should be enforced throughout the application code to prevent similar vulnerabilities from occurring in the future. Regular security assessments and penetration testing of industrial control systems are essential to identify and remediate potential vulnerabilities before they can be exploited by malicious actors. Additionally, implementing network monitoring and intrusion detection systems can help identify suspicious database access patterns that may indicate exploitation attempts. The vulnerability highlights the critical importance of maintaining up-to-date security patches for industrial control systems and demonstrates how seemingly minor input validation issues can lead to severe operational and security consequences in critical infrastructure environments.