Delta Electronics DIAEnergie SQL Injection in HandlerDialog_KID.ashx
Description
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerDialog_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Delta Electronics DIAEnergie prior to 1.9 contains a blind SQL injection in HandlerDialog_KID.ashx (CVE-2022-0923) allowing remote, unauthenticated attackers to read/modify databases and execute system commands.
Vulnerability
A blind SQL injection vulnerability exists in the HandlerDialog_KID.ashx endpoint of Delta Electronics DIAEnergie, an industrial energy management system, prior to version 1.9 [1]. The vulnerability is due to improper neutralization of special elements used in an SQL command (CWE-89). According to the initial advisory, all versions prior to 1.8.02.004 are affected, but the updated CISA advisory lists all versions prior to 1.9. This is a different endpoint than the SQL injection assigned CVE-2022-26667, which affects GetDemandAnalysisData [1].
Exploitation
An attacker can exploit this vulnerability remotely over a network without authentication or user interaction [1]. The attack complexity is low. The attacker sends specially crafted HTTP requests to the HandlerDialog_KID.ashx endpoint, injecting blind SQL queries into parameters that are not properly sanitized. Because the injection is blind, the attacker may need to infer information through response timing or error messages.
Impact
Successful exploitation allows an attacker to retrieve and modify arbitrary database contents, potentially gaining access to sensitive information stored in the DIAEnergie database. More critically, the description and CISA advisory state that an attacker can also execute arbitrary system commands on the underlying operating system [1]. Given the high CVSS v3 base score of 9.8, this can lead to full compromise of confidentiality, integrity, and availability of the affected system.
Mitigation
Delta Electronics released DIAEnergie version 1.9 to address this vulnerability [1]. All users are recommended to update to version 1.9 or later. As of the latest CISA update (Update C, 2022-04-28), this version is available. No workarounds have been published. If updating is not immediately possible, restricting network access to the DIAEnergie application and monitoring for suspicious requests to HandlerDialog_KID.ashx may reduce risk. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.8.02.004+ 1 more
- (no CPE)range: <1.8.02.004
- (no CPE)range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.cisa.gov/uscert/ics/advisories/icsa-22-081-01mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.