Delta Electronics DIAEnergie SQL Injection in DIAE_hierarchyHandler.ashx

Vulnerability

CVE-2022-26338 is a blind SQL injection vulnerability in the HandlerPageP_KID.ashx endpoint of Delta Electronics DIAEnergie, an industrial energy management system. The flaw affects all versions prior to 1.8.02.004 (as per the initial advisory), and the affected product range extends to versions prior to 1.9 [1]. The vulnerability exists because user-supplied input is not properly neutralized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely with low attack complexity, as no special privileges or user interaction is required [1]. The attacker sends crafted HTTP requests to the vulnerable HandlerPageP_KID.ashx handler, injecting SQL commands through parameters. Since the injection is blind (the attacker does not directly see query results), the attacker must use time-based or error-based techniques to extract information [1].

Impact

Successful exploitation allows the attacker to retrieve and modify database contents, potentially leading to disclosure of sensitive data, corruption of stored information, and ultimately execution of system commands on the underlying server [1]. The CVSS v3 base score is 9.8 (Critical), with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating complete compromise of confidentiality, integrity, and availability [1].

Mitigation

Delta Electronics released version 1.9 of DIAEnergie to address this vulnerability, as noted in CISA's updated advisory (Update C) [1]. Users are strongly recommended to update to version 1.9 or later. No workarounds are provided for versions prior to 1.8.02.004. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory publication date [1].