The Tiandy Easy7 Integrated Management Platform is vulnerable to a critical remote OS command injection flaw that allows unauthenticated attackers to seize full control of the system.

The vulnerability exists in the Configuration Handler component within the /Easy7/apps/WebService/ImportSystemConfiguration.jsp file. By manipulating the "File" argument, a remote attacker can trigger an OS command injection without requiring valid credentials.

Impacted organizations face a total compromise of their management platform, which likely controls physical security or surveillance infrastructure. An attacker could disable security controls, access sensitive video feeds, or use the platform as a pivot point for further network attacks. The CVSS score of 9.8 underscores the high risk due to the ease of remote exploitation and the lack of vendor responsiveness.

Immediate Action: Since the vendor has not responded to disclosure, administrators should consider isolating the Easy7 platform from the internet and restricting internal access.

Proactive Monitoring: Monitor web server logs for suspicious requests directed at the ImportSystemConfiguration.jsp endpoint, specifically looking for shell-related syntax in the File parameter.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block OS command injection patterns in HTTP POST requests.

Public Exploit Available: Yes

Due to the availability of a public exploit and the lack of a formal patch from Tiandy, this vulnerability represents an extreme risk. It is recommended to decommission the software or place it behind a strictly controlled VPN until a fix is verified.