Delta Electronics DIAEnergie Incorrect Default Permissions

Vulnerability

Delta Electronics DIAEnergie versions prior to 1.9 suffer from an incorrect default permission vulnerability (CWE-276). The application's filesystem permissions are overly permissive by default, enabling a local attacker to plant new files (such as DLLs) or overwrite existing executable files. The affected product is used for industrial energy management.

Exploitation

An attacker needs local access to the system with low privileges (CVSSv3 AV:L/PR:L). No user interaction is required. The attacker can write arbitrary files into directories where DIAEnergie loads executables or libraries. By placing a malicious DLL in a search path that the application uses, the attacker can cause the application to load the attacker's code instead of the legitimate library.

Impact

Successful exploitation allows the attacker to achieve code execution in the context of the DIAEnergie application, which often runs with elevated privileges. The impact includes high confidentiality, integrity, and availability impact, potentially leading to full system compromise [1].

Mitigation

Delta Electronics has released DIAEnergie version 1.9, which fixes this vulnerability [1]. Users should upgrade to version 1.9 or later. If immediate upgrade is not possible, limit local access to trusted users and monitor file changes in the installation directory. No known public KEV listing exists.