Delta Electronics DIAEnergie SQL Injection

Vulnerability

CVE-2022-43452 is an SQL injection vulnerability in the FtyInfoSetting.aspx page of Delta Electronics DIAEnergie, an industrial energy management system. All versions prior to v1.9.02.001 are affected [1]. The vulnerability exists because user-supplied input is not properly neutralized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands [1].

Exploitation

An attacker can exploit this vulnerability over the network with low complexity and no authentication required [1]. By sending crafted HTTP requests to the vulnerable FtyInfoSetting.aspx endpoint, the attacker can inject malicious SQL statements that are executed by the underlying database server [1].

Impact

Successful exploitation allows an attacker to read, modify, or delete sensitive data in the database, and potentially execute operating system commands on the database server [1]. This can lead to complete compromise of the confidentiality, integrity, and availability of the affected system. The CVSS v3 base score is 8.8, indicating high impact [1].

Mitigation

Delta Electronics has released DIAEnergie version v1.9.02.001 to address this vulnerability. All users are advised to upgrade to this version or later [1]. CISA recommends users apply the update immediately and review the vendor advisory for more details [1].