How is CVE-2026-10731 exploited?

Network reachability (required): The attacker must reach the '/user-login' endpoint over the network; no physical or local access is needed. Authentication (not-required): The vulnerable 2FA endpoint is accessible before any login step, so no credentials of any kind are needed. Victim interaction (not-required): The attacker sends a crafted request directly to the endpoint; no user action or social engineering is involved. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions, special configurations, or environmental factors required.

What is the impact of CVE-2026-10731?

Reads any data stored in the backend database, including user credentials, session tokens, and business records. Creates new privileged user accounts, giving the attacker persistent administrative access to the application. Modifies or deletes critical database rows, corrupting application data or erasing audit trails. Triggers denial-of-service conditions by issuing resource-exhausting or destructive SQL queries against the database.

Back to search

CRITICALCVE-2026-10731Published 2026-06-09Modified 2026-06-09CNA INCIBE

CVE-2026-10731: SQL injection in Nemon products

SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

SQL injection in Nemon Trade Energy (versions 2.95.55) and Nemon Trade Energy CRM (version 2.95.55) allows unauthenticated attackers to inject arbitrary SQL through the 'two_steps_auth_code' parameter in the '/user-login' endpoint. The vulnerable 2FA endpoint is reachable over the network with no prior login required, meaning any attacker who can reach the service can send malicious input directly to the backend database. Successful exploitation gives an attacker full read and write access to the database, the ability to create privileged accounts, and the ability to crash the service. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected Nemon base layers, in both registry scans and active CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.3 Critical and weighting it against each environment's compliance policy, then routing the alert to the appropriate team inbox within the customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the '/user-login' endpoint over the network; no physical or local access is needed.
AuthenticationNot required
The vulnerable 2FA endpoint is accessible before any login step, so no credentials of any kind are needed.
Victim interactionNot required
The attacker sends a crafted request directly to the endpoint; no user action or social engineering is involved.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions, special configurations, or environmental factors required.

Blast Radius

Reads any data stored in the backend database, including user credentials, session tokens, and business records.
Creates new privileged user accounts, giving the attacker persistent administrative access to the application.
Modifies or deletes critical database rows, corrupting application data or erasing audit trails.
Triggers denial-of-service conditions by issuing resource-exhausting or destructive SQL queries against the database.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-10731, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment Nemon publishes a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger automatically at that point. In the meantime, compensating controls worth considering include network-policy isolation that restricts access to the '/user-login' endpoint to trusted source ranges only, egress filtering to limit lateral movement if exploitation occurs, and a web application firewall rule that blocks SQL metacharacter sequences in the 'two_steps_auth_code' parameter. Customers should treat this as a critical-priority finding given the absence of any authentication barrier and the full confidentiality, integrity, and availability impact confirmed by the CVSS score.

See how HarborGuard automates this

Affected packages

Nemon / Nemon Trade Energy
2.95.55
Nemon / Nemon Trade Energy CRM
2.95.55

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

incibe.es

Metrics

Get notified