Primary

Context

Tiandy Easy7 Integrated Management Platform Unauthenticated Password Reset Vulnerability

Vulnerability

A vulnerability in Tiandy Easy7 Integrated Management Platform version 7.17.0 allows for unauthenticated password reset through the API endpoint /rest/user/updateUserPassword. This remote exploitation can lead to weak password recovery. The vulnerability has been publicly disclosed and is actively exploitable.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, potentially leading to unauthorized access to user accounts.

Reproduction

To exploit this vulnerability, send a POST request to the /Easy7/rest/user/updateUserPassword endpoint. The request should include the userId parameter set to 'admin', along with a new password. No authentication or authorization headers are required.

Added: May 26, 2026, 7:08 PM

Updated: May 26, 2026, 7:08 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

9.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

9.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tiandy Easy7 Integrated Management Platform Unauthenticated Password Reset Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Tiandy Easy7 Integrated Management Platform

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating