CVE-2026-8217
Command Injection in IAS Canias ERP 8.03
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| industrial_application_software | canias_erp | 8.03 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Industrial Application Software IAS Canias ERP 8.03 allows unauthenticated remote code execution and full system compromise, which can lead to unauthorized access, manipulation, or disclosure of sensitive data.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and ensure data integrity and confidentiality.
Because the exploit requires no authentication and can be initiated remotely, it increases the risk of data exposure or system misuse, potentially leading to violations of these regulations.
Can you explain this vulnerability to me?
CVE-2026-8217 is a critical security vulnerability in Industrial Application Software IAS Canias ERP version 8.03. It affects the Runtime.getRuntime.exec function of the RMI Interface component, allowing an attacker to perform OS command injection by manipulating the argument troiaCode. The attack can be initiated remotely without authentication.
The exploit chain involves multiple vulnerabilities including unauthenticated session enumeration, session hijacking, command execution, and unauthorized file reading. An attacker can connect to the Java RMI interface on port 27499, identify active sessions, execute arbitrary OS commands with the privileges of the caniasERP service account, and read command outputs through file transfer mechanisms.
This vulnerability allows full system compromise without any user interaction or authentication, making it particularly dangerous.
How can this vulnerability impact me? :
This vulnerability can lead to a complete system compromise of the affected Canias ERP system. An attacker can remotely execute arbitrary OS commands with the privileges of the ERP service account, potentially gaining control over the system.
The attacker can enumerate active user sessions, hijack sessions, execute commands, and read files without authentication or user interaction. This can result in unauthorized access to sensitive data, disruption of business operations, and further exploitation of the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable Java RMI interface exposed on port 27499, which is the default port for the caniasERP IAS server remote interface.
A practical detection method involves attempting to connect to this port and observing if the service responds, indicating exposure to the vulnerability.
Additionally, commands can be executed remotely via the exploit chain, so testing for unauthorized command execution attempts such as 'whoami' or 'hostname' through the interface can help identify exploitation.
- Use network scanning tools (e.g., nmap) to check if port 27499 is open on the target system: nmap -p 27499 <target-ip>
- Attempt to connect to the Java RMI interface on port 27499 using tools like 'telnet' or 'nc' to verify service availability: telnet <target-ip> 27499
- Monitor logs or network traffic for suspicious commands such as 'whoami' or 'hostname' being executed remotely via the RMI interface.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or blocking access to the vulnerable Java RMI interface on port 27499 to prevent remote exploitation.
Since the vulnerability allows unauthenticated remote code execution, network-level controls such as firewall rules should be applied to limit exposure.
If possible, disable the vulnerable RMI interface or restrict it to trusted internal networks only.
Monitor systems for signs of compromise and unauthorized command execution.
Contact the vendor for patches or updates, although the vendor has not responded to this disclosure as of the last update.