Delta Electronics DIAEnergie

Vulnerability

The affected product is Delta Electronics DIAEnergie, an industrial energy management system, in versions prior to v1.9.01.002 [1]. A SQL injection vulnerability exists in the GetDIAE_line_message_settingsListParameters function. The improper neutralization of user-supplied input allows an authenticated attacker to inject arbitrary SQL queries [1]. The vulnerability is present when the application processes specially crafted requests to this endpoint.

Exploitation

An attacker must be a low-privileged authenticated user of the DIAEnergie application to reach the vulnerable code path [1]. The attack can be performed remotely with low complexity, requiring no user interaction [1]. The attacker sends a crafted request containing malicious SQL payloads to the vulnerable endpoint; the application fails to sanitize the input, leading to execution of the injected SQL commands within the database [1].

Impact

Successful exploitation allows an attacker to retrieve, modify, or delete database contents, potentially exposing sensitive information or compromising the integrity of the data stored by the industrial energy management system [1]. The attacker may also be able to execute system commands through the database, depending on the database permissions and the context of the injection [1]. The impact is high on confidentiality, integrity, and availability, as reflected in the CVSS base score of 8.8 [1].

Mitigation

Delta Electronics released DIAEnergie version v1.9.01.002 and later as a fix for this vulnerability; users should upgrade to the latest version [1]. Versions v1.9.02.001 and v1.9.03.001 are also listed as fixed versions [1]. There are no documented workarounds if upgrading is not possible. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.