Delta Electronics DIAEnergie SQL Injection in GetDemandAnalysisData

Vulnerability

A blind SQL injection vulnerability exists in the GetDemandAnalysisData endpoint of Delta Electronics DIAEnergie, an industrial energy management application. All versions prior to 1.9 are affected [1]. The flaw resides in CWE-89: Improper Neutralization of Special Elements used in an SQL Command; the application fails to sanitize user-supplied input, allowing an attacker to inject arbitrary SQL queries through the vulnerable function [1].

Exploitation

An attacker can exploit this vulnerability remotely with low complexity, requiring no authentication or user interaction [1]. The attacker sends a specially crafted HTTP request to the affected GetDemandAnalysisData endpoint; by observing the application's response (blind SQL injection), they can extract database contents or execute system-level commands [1]. The network-accessible nature and lack of required privileges make this particularly easy to exploit [1].

Impact

Successful exploitation allows an attacker to retrieve and modify arbitrary database contents, as well as execute operating system commands [1]. This leads to complete compromise of confidentiality, integrity, and availability — the CVSS v3 base score is 9.8 (Critical) with the vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) [1]. An attacker can gain full control over the affected DIAEnergie server.

Mitigation

Delta Electronics released version 1.9 of DIAEnergie to address this vulnerability, and users are advised to upgrade immediately [1]. No workaround is documented; all versions prior to 1.9 are considered vulnerable. CISA recommends that users assess risk and apply the update, and that affected devices should not be directly accessible from the internet [1].