Delta Electronics DIAEnergie SQL Injection in GetLatestDemandNode and GetDemandAnalysisData

Vulnerability

A blind SQL injection vulnerability exists in the GetLatestDemandNode function of Delta Electronics DIAEnergie. Affected versions include all releases prior to version 1.9 [1]. The flaw is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Exploitation

The vulnerability can be exploited remotely over the network without authentication or user interaction. An attacker can inject arbitrary SQL queries into the vulnerable function, which processes user-supplied input without proper sanitization. The low attack complexity allows for easy exploitation [1].

Impact

Successful exploitation enables an attacker to retrieve and modify database contents, and execute system commands. This can lead to full compromise of confidentiality, integrity, and availability, with a CVSS v3 base score of 9.8 (Critical) [1].

Mitigation

Delta Electronics has released version 1.9 of DIAEnergie to address this vulnerability. Users are advised to update to version 1.9 or later. As of the advisory publication date (March 29, 2022), no workaround has been provided [1].