Delta Electronics DIAEnergie

Vulnerability

The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection in the CheckIoTHubNameExisted endpoint. A low-privileged authenticated attacker can inject arbitrary SQL queries by sending crafted input to this endpoint [1].

Exploitation

An attacker with low-privilege authenticated access to the DIAEnergie web interface can exploit this vulnerability remotely with low attack complexity. The attacker sends a specially crafted request to the CheckIoTHubNameExisted API, which does not properly sanitize user input, allowing SQL injection [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries, leading to unauthorized retrieval, modification, or deletion of database contents. This could potentially lead to execution of system commands if the database server has sufficient privileges, compromising the confidentiality, integrity, and availability of the system [1].

Mitigation

Delta Electronics has released version v1.9.01.002 to address this vulnerability. Users are advised to update to the latest version. The CISA advisory [1] provides further details and recommends applying patches promptly.