Delta Electronics DIAEnergie SQL Injection in DIAE_eccoefficientHandler.ashx

Vulnerability

A blind SQL injection vulnerability exists in the DIAE_eccoefficientHandler.ashx endpoint of Delta Electronics DIAEnergie, an industrial energy management system. All versions prior to 1.8.02.004 are affected. The flaw occurs when user-supplied input is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL statements.

Exploitation

An attacker can exploit this vulnerability remotely over the network without authentication and with low attack complexity. By sending a specially crafted HTTP request to the vulnerable handler, the attacker can inject SQL commands. Because the injection is blind, the attacker may need to infer query results through timing delays or boolean responses, but the attack does not require any user interaction or special privileges.

Impact

Successful exploitation enables the attacker to retrieve, modify, or delete database contents and execute arbitrary system commands on the underlying server. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3 base score is 9.8 (Critical).

Mitigation

Delta Electronics has addressed this vulnerability in version 1.8.02.004 and later releases. Users should update to the latest version as soon as possible. The CISA advisory [1] recommends upgrading to version 1.9 or higher. No workarounds are documented; applying the vendor patch is the only known mitigation.