Delta Electronics DIAEnergie SQL Injection

Vulnerability

A SQL injection vulnerability exists in the AM_EBillAnalysis.aspx endpoint of Delta Electronics DIAEnergie versions prior to v1.9.02.001, as well as versions prior to v1.9.03.001 per updated advisories [1]. The flaw arises from improper neutralization of user-supplied input within the parameter processed by this page, enabling an attacker to inject arbitrary SQL commands into the backend database query.

Exploitation

An attacker can exploit this vulnerability remotely over the network with low complexity and no required authentication [1]. The attack vector is network-based, meaning the adversary must only be able to send crafted HTTP requests to the affected AM_EBillAnalysis.aspx endpoint. No user interaction or prior privileges are necessary to trigger the injection.

Impact

Successful exploitation allows an attacker to retrieve, modify, or delete database contents, potentially gaining access to sensitive energy management data. The advisory notes that this could lead to arbitrary code execution and system command execution [1]. The CVSS v3 base score is 8.8 (High), indicating significant confidentiality, integrity, and availability impact.

Mitigation

Delta Electronics has released DIAEnergie version v1.9.02.001 to address the vulnerability; later versions v1.9.03.001 also contain the fix [1]. Users are advised to update to the latest patched version as soon as possible. No workarounds are documented in the available references.