Delta Electronics DIAEnergie SQL Injection in HandlerExport.ashx/Calendar.ashx

Vulnerability

Delta Electronics DIAEnergie, an industrial energy management system, is vulnerable to a blind SQL injection in the HandlerExport.ashx/Calendar endpoint. All versions prior to 1.8.02.004 (as per the CVE description) or prior to 1.9 (according to the CISA advisory [1]) are affected. The vulnerability allows an attacker to inject arbitrary SQL queries without prior authentication.

Exploitation

An unauthenticated attacker with network access can exploit this vulnerability by sending crafted HTTP requests to the vulnerable endpoint. The attack requires low complexity and no user interaction. By manipulating input parameters, the attacker can perform SQL injection, potentially enumerating database contents or modifying data.

Impact

Successful exploitation enables the attacker to retrieve and modify sensitive database contents, as well as execute system commands on the underlying system. This can lead to full compromise of the DIAEnergie application and the associated industrial control system, impacting confidentiality, integrity, and availability.

Mitigation

Delta Electronics has addressed this vulnerability in version 1.9 of DIAEnergie, as indicated in the CISA advisory [1]. Users are strongly advised to update to this or a later version. If upgrading is not immediately possible, apply network segmentation and restrict access to the affected endpoint as a workaround.