Delta Electronics DIAEnergie SQL Injection in GetQueryData

Vulnerability

CVE-2022-26058 is a blind SQL injection vulnerability in the DIAEnergie industrial energy management software, specifically in the GetQueryData endpoint. All versions prior to 1.8.02.004 are affected [1]. The flaw resides in the improper neutralization of special elements used in an SQL command, allowing an attacker to inject arbitrary SQL queries [1].

Exploitation

An attacker can exploit this vulnerability remotely over the network without requiring authentication, as the affected endpoint is accessible pre-authentication [1]. The attack complexity is low, and no user interaction is needed. By crafting a malicious SQL query, the attacker can leverage the blind injection to extract information or perform actions, although concrete exploit steps have not been disclosed in the available references [1].

Impact

Successful exploitation allows the attacker to retrieve and modify database contents and execute arbitrary system commands on the underlying server [1]. This leads to complete compromise of confidentiality, integrity, and availability (CIA), with a CVSS v3 base score of 9.8 [1]. The attacker can achieve remote code execution at the system level, potentially taking full control of the affected DIAEnergie installation.

Mitigation

Delta Electronics has released version 1.9 of DIAEnergie, which addresses this vulnerability [1]. Users should upgrade to version 1.9 or later. Steps to obtain the update from the vendor are detailed in the CISA advisory [1]. For those unable to upgrade immediately, CISA recommends applying defense-in-depth measures, minimizing network exposure, and using firewalls to restrict access to the affected system [1].