Delta Electronics DIAEnergie SQL Injection in HandlerDialogECC.ashx

Vulnerability

A blind SQL injection vulnerability exists in the HandlerECC.ashx endpoint of Delta Electronics DIAEnergie. All versions prior to 1.9.0 (and prior to 1.8.02.004 per the CVE description) are affected. The vulnerability lies in improper neutralization of special elements used in SQL commands (CWE-89). An attacker can exploit this by sending malicious HTTP requests to the vulnerable endpoint. [1]

Exploitation

This vulnerability is remotely exploitable over the network with low attack complexity. No authentication or user interaction is required. An attacker can craft a POST request to HandlerECC.ashx with malicious SQL payloads in the input parameters, allowing them to inject arbitrary SQL queries. [1]

Impact

Successful exploitation allows an attacker to retrieve and modify database contents, execute arbitrary SQL queries, and execute system commands on the underlying operating system. This could lead to full compromise of the DIAEnergie system, including data exfiltration, data tampering, and potential remote code execution. [1]

Mitigation

Delta Electronics has released version 1.9.0 of DIAEnergie to address this vulnerability. Users should update to version 1.9.0 or later. The CISA advisory (ICSA-22-081-01) recommends upgrading immediately. No workarounds are available. [1]