Delta Electronics DIAEnergie SQL Injection in GetCalcTagList

Vulnerability

A blind SQL injection vulnerability exists in the GetCalcTagList function of Delta Electronics DIAEnergie, affecting all versions prior to 1.8.02.004 [1]. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and allows an attacker to inject arbitrary SQL queries into the application's database [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication, as the CVSS v3 vector indicates network access, low attack complexity, and no privileges required [1]. The attacker sends specially crafted input to the GetCalcTagList endpoint, performing blind SQL injection to extract or modify database contents and potentially execute system commands [1].

Impact

Successful exploitation allows the attacker to retrieve and modify database contents, and execute system commands on the underlying system, leading to full compromise of confidentiality, integrity, and availability [1]. The CVSS base score of 9.8 reflects the critical nature of this vulnerability [1].

Mitigation

Delta Electronics released version 1.8.02.004 to address this vulnerability; users should update to this version or later [1]. The CISA advisory notes that all versions prior to 1.9 are affected, but the specific fix for CVE-2022-27175 is included in 1.8.02.004 [1]. No workarounds are provided in the available references [1].