Delta Electronics DIAEnergie SQL Injection in HandlerPage_KID.ashx

Vulnerability

Delta Electronics DIAEnergie, an industrial energy management system, is vulnerable to a blind SQL injection in the HandlerPage_KID.ashx component. This affects all versions prior to 1.8.02.004. The flaw is a classic improper neutralization of special elements used in an SQL command (CWE-89), enabling an unauthenticated attacker to inject arbitrary SQL queries [1].

Exploitation

An attacker can exploit this vulnerability remotely over the network without needing authentication or user interaction. The attack complexity is low. By sending specially crafted HTTP requests to the vulnerable endpoint, the attacker can perform blind SQL injection to extract data, modify database contents, and ultimately execute operating system commands [1].

Impact

Successful exploitation allows the attacker to retrieve and modify all database contents, including sensitive information. More critically, the SQL injection can be leveraged to execute arbitrary system commands on the underlying server, leading to full compromise of confidentiality, integrity, and availability. The CVSS v3 score is 9.8 (Critical) [1].

Mitigation

Delta Electronics released version 1.8.02.004 to address this vulnerability. Users are urged to update to version 1.9 or later as recommended in the CISA advisory. If immediate patching is not possible, network segmentation and restricting access to DIAEnergie web interfaces are advised. No workaround is available, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities [1].