Delta Electronics DIAEnergie SQL Injection in HandlerCommon.ashx

Vulnerability

A blind SQL injection vulnerability exists in the HandlerCommon.ashx endpoint of Delta Electronics DIAEnergie, affecting all versions prior to 1.8.02.004 (and subsequently all versions prior to 1.9 per later advisories [1]). The vulnerability is classified as CWE-89 and allows an attacker to inject arbitrary SQL queries without authentication [1].

Exploitation

An attacker can exploit this vulnerability remotely over the network with low complexity, requiring no authentication or user interaction [1]. The attacker sends crafted SQL queries to the vulnerable endpoint, leveraging blind SQL injection techniques to extract information or execute commands; the exact sequence of steps is not detailed in the available references, but the low attack complexity and remote exploitability are confirmed [1].

Impact

Successful exploitation allows the attacker to retrieve and modify database contents, and potentially execute arbitrary system commands at the privilege level of the application, leading to full compromise of confidentiality, integrity, and availability [1]. The CVSS v3 base score is 9.8, indicating critical severity [1].

Mitigation

Delta Electronics released DIAEnergie version 1.9 to address this vulnerability [1]. Users should update to version 1.9 or later. No workarounds are mentioned in the available references. The vulnerability is not known to be listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the publication date.