📄 Description (English)
A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/GetDBDataEx.jsp. Performing a manipulation of the argument strTBName results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
A critical SQL injection vulnerability exists in Tiandy Easy7 Integrated Management Platform version 7.17.0 affecting the GetDBDataEx.jsp endpoint. The vulnerability allows remote attackers to manipulate the strTBName parameter to execute arbitrary SQL queries without authentication. With a CVSS score of 7.3 and public exploit availability, this poses an immediate threat to organizations using this platform, particularly in surveillance and security management systems deployed across Saudi Arabia.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 29, 2026 10:06
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations in the following sectors: (1) Government Security & Surveillance - Ministry of Interior, General Directorate of Investigations, and local municipality surveillance systems; (2) Banking & Financial Services - SAMA-regulated institutions using Tiandy systems for physical security; (3) Healthcare - MOHSR-regulated hospitals and clinics with integrated surveillance platforms; (4) Energy Sector - ARAMCO and downstream facilities using Tiandy for perimeter security; (5) Telecommunications - STC, Mobily, and Zain infrastructure security systems; (6) Critical Infrastructure - Airports, ports, and border security installations. The SQL injection vulnerability could lead to unauthorized database access, data exfiltration of sensitive surveillance footage metadata, system compromise, and potential lateral movement within organizational networks.
🏢 Affected Saudi Sectors
Government & Public Administration
Banking & Financial Services
Healthcare
Energy & Utilities
Telecommunications
Critical Infrastructure
Transportation & Logistics
Retail & Commerce
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1557 - Man-in-the-Middle
T1110 - Brute Force
T1040 - Network Sniffing
T1213 - Data from Information Repositories
T1005 - Data from Local System
T1041 - Exfiltration Over C2 Channel
T1021 - Remote Services
T1078 - Valid Accounts
T1087 - Account Discovery
T1010 - Application Window Discovery
T1580 - Cloud Infrastructure Discovery
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of Tiandy Easy7 version 7.17.0 in your environment using network scanning tools
2. Isolate affected systems from internet-facing access immediately - restrict access to /Easy7/apps/WebService/GetDBDataEx.jsp endpoint
3. Implement network-level access controls (WAF rules) to block requests containing SQL metacharacters in the strTBName parameter
PATCHING GUIDANCE:
1. Contact Tiandy support for emergency patching - request version 7.18.0 or later if available
2. If no patch is available from vendor, plan immediate upgrade to alternative surveillance management platform
3. Do not delay - vendor non-responsiveness indicates this may remain unpatched
COMPENSATING CONTROLS:
1. Deploy Web Application Firewall (WAF) rules to detect/block SQL injection patterns: block requests with OR, UNION, SELECT, DROP, INSERT, UPDATE, DELETE in strTBName parameter
2. Implement strict input validation at application level - whitelist only alphanumeric characters and underscores for table names
3. Apply principle of least privilege - ensure database service account has minimal permissions (read-only where possible)
4. Enable comprehensive SQL query logging and monitoring for anomalous database access patterns
5. Implement network segmentation - isolate Tiandy platform on dedicated VLAN with restricted egress
DETECTION RULES:
1. Monitor HTTP POST/GET requests to /Easy7/apps/WebService/GetDBDataEx.jsp for SQL keywords in strTBName parameter
2. Alert on database error messages returned in HTTP responses (indicates successful injection)
3. Monitor database transaction logs for unexpected SELECT queries from Tiandy service account
4. Track unusual database connection patterns or spike in query volume from Tiandy application server
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع حالات Tiandy Easy7 الإصدار 7.17.0 في بيئتك باستخدام أدوات المسح الشبكي
2. عزل الأنظمة المتأثرة عن الوصول المواجه للإنترنت فوراً - تقييد الوصول إلى نقطة نهاية /Easy7/apps/WebService/GetDBDataEx.jsp
3. تطبيق عناصر تحكم الوصول على مستوى الشبكة (قواعد WAF) لحظر الطلبات التي تحتوي على أحرف SQL في معامل strTBName
إرشادات التصحيح:
1. الاتصال بدعم Tiandy للحصول على تصحيح طارئ - طلب الإصدار 7.18.0 أو أحدث إن توفر
2. إذا لم يتوفر تصحيح من البائع، خطط للترقية الفورية إلى منصة إدارة مراقبة بديلة
3. عدم التأخير - عدم استجابة البائع يشير إلى أن هذا قد يبقى بدون تصحيح
عناصر التحكم البديلة:
1. نشر قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط حقن SQL وحظرها: حظر الطلبات التي تحتوي على OR أو UNION أو SELECT أو DROP أو INSERT أو UPDATE أو DELETE في معامل strTBName
2. تطبيق التحقق الصارم من صحة الإدخال على مستوى التطبيق - قائمة بيضاء فقط للأحرف الأبجدية الرقمية والشرطات السفلية لأسماء الجداول
3. تطبيق مبدأ أقل امتياز - التأكد من أن حساب خدمة قاعدة البيانات له أقل صلاحيات ممكنة
4. تفعيل تسجيل المراقبة الشامل لاستعلامات SQL والمراقبة للأنماط غير العادية في الوصول إلى قاعدة البيانات
5. تطبيق تقسيم الشبكة - عزل منصة Tiandy على VLAN مخصص مع تقييد الخروج
قواعد الكشف:
1. مراقبة طلبات HTTP POST/GET إلى /Easy7/apps/WebService/GetDBDataEx.jsp للبحث عن كلمات SQL الرئيسية في معامل strTBName
2. التنبيه على رسائل خطأ قاعدة البيانات المرجعة في استجابات HTTP (يشير إلى حقن ناجح)
3. مراقبة سجلات معاملات قاعدة البيانات للاستعلامات SELECT غير المتوقعة من حساب خدمة Tiandy
4. تتبع أنماط الاتصال غير العادية بقاعدة البيانات أو ارتفاع حجم الاستعلامات من خادم تطبيق Tiandy
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.6.2.2 - User Access Rights
A.8.1.1 - Cryptography Policy
A.9.1.1 - Physical and Environmental Security
A.10.1.1 - Operations Security
A.10.2.1 - System Change Management
A.12.1.1 - Event Logging
A.12.2.1 - Protection of Log Information
A.14.1.1 - Information Security Requirements
A.14.2.1 - Security of Development Environments
🔵 SAMA CSF
Governance - Risk Management Framework
Governance - Third-Party Risk Management
Protect - Access Control and Authentication
Protect - Data Protection and Privacy
Protect - System and Communications Protection
Detect - Security Monitoring and Incident Detection
Respond - Incident Response Planning
Recover - Business Continuity and Disaster Recovery
🟡 ISO 27001:2022
5.1 - Policies for information security
6.1 - Information security roles and responsibilities
6.2 - Information security responsibilities of management
8.1 - Responsibility for assets
8.2 - Information classification
8.3 - Handling of assets
8.4 - Access control
8.5 - Cryptography
8.6 - Physical and environmental security
8.7 - Operations security
8.8 - Communications security
8.9 - Systems acquisition, development and maintenance
8.10 - Supplier relationships
8.11 - Information security incident management
8.12 - Business continuity management
8.13 - Compliance
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration
Requirement 2 - Do not use vendor-supplied defaults
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.2 - Ensure all system components are protected from known vulnerabilities
Requirement 8 - Identify and authenticate access to system components
Requirement 10 - Track and monitor all access to network resources
Requirement 11 - Regularly test security systems and processes