Delta Electronics DIAEnergie SQL Injection in DIAE_hierarchyHandler.ashx

Vulnerability

A blind SQL injection vulnerability exists in the HandlerTag_KID.ashx endpoint of Delta Electronics DIAEnergie. All versions prior to 1.8.02.004 (and subsequently prior to 1.9 per updated advisory) are affected. The vulnerability is remotely exploitable without authentication, requiring only a crafted HTTP request to the vulnerable handler.

Exploitation

An attacker can send specially crafted HTTP requests to HandlerTag_KID.ashx to inject arbitrary SQL queries. The blind nature of the injection means the attacker may need to use time-based or error-based techniques to extract information. No prior authentication or user interaction is required, and the attack complexity is low.

Impact

Successful exploitation allows the attacker to retrieve and modify database contents, and execute system commands on the underlying system. This leads to full compromise of confidentiality, integrity, and availability, potentially enabling remote code execution and complete control of the affected device.

Mitigation

Delta Electronics released version 1.9 to address this vulnerability. Users should update to 1.9 or later. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the advisory publication date [1].