PatchSiren cyber security CVE debrief
CVE-2022-45090 Gruparge CVE debrief
CVE-2022-45090 is a HIGH severity SQL Injection vulnerability (CVSS 3.1: 8.8) in Gruparge Smartpower Web, an energy and control systems management platform. The vulnerability stems from improper input validation (CWE-89) and allows authenticated attackers with low privileges to execute arbitrary SQL commands, potentially leading to complete confidentiality, integrity, and availability compromise of the application database. The vulnerability affects all versions prior to 23.01.01. This CVE was published on February 12, 2023, and was last modified on May 18, 2026. The vulnerability was disclosed through Turkish national cybersecurity authorities (USOM/TR-23-0066), indicating coordinated disclosure with regional critical infrastructure protection implications. No known exploitation in ransomware campaigns has been documented (non-KEV). Organizations running affected Smartpower Web deployments should prioritize patching to version 23.01.01 or later and implement defense-in-depth measures including input validation, parameterized queries, and database activity monitoring.
- Vendor
- Gruparge
- Product
- Smartpower Web
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-02-12
- Original CVE updated
- 2026-05-18
- Advisory published
- 2023-02-12
- Advisory updated
- 2026-05-18
Who should care
Organizations operating Gruparge Smartpower Web for energy management and industrial control; critical infrastructure operators in energy sector; security teams responsible for OT/IT convergence environments; Turkish national infrastructure operators subject to USOM advisories
Technical summary
Improper input validation in Gruparge Smartpower Web before version 23.01.01 enables authenticated SQL injection attacks. The vulnerability (CWE-89) allows low-privileged attackers to manipulate database queries through unsanitized input vectors, with network-accessible attack surface (AV:N), low attack complexity (AC:L), and high impact across confidentiality, integrity, and availability dimensions (C:H/I:H/A:H). The affected product is an energy and control systems web management platform, placing operational technology environments at risk.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Smartpower Web to version 23.01.01 or later to remediate the SQL injection vulnerability
- Implement parameterized queries and prepared statements for all database interactions
- Deploy web application firewall (WAF) rules to detect and block SQL injection attempts
- Enable comprehensive logging and monitoring of database query activity for anomaly detection
- Conduct security code review of input validation mechanisms across the application
- Restrict database account privileges to principle of least required access
- Verify backup and recovery procedures for critical energy management system databases
Evidence notes
SQL Injection via improper input validation; authenticated attack vector (PR:L); affects energy/control systems sector
Official resources
-
CVE-2022-45090 CVE record
CVE.org
-
CVE-2022-45090 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Coordinated disclosure through Turkish National Cyber Security Authority (USOM) as TR-23-0066