Delta Electronics DIAEnergie SQL Injection

Vulnerability

A SQL injection vulnerability exists in the HandlerTag_KID.ashx endpoint of Delta Electronics DIAEnergie, an industrial energy management system. Versions prior to v1.9.02.001 (and also prior to v1.9.03.001 per updated advisories) are affected. The flaw occurs when user-supplied input is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands.

Exploitation

An attacker can exploit this vulnerability remotely over the network without requiring authentication or user interaction. By sending a specially crafted HTTP request to the HandlerTag_KID.ashx endpoint, the attacker can inject malicious SQL statements into the database query. The low attack complexity makes exploitation straightforward.

Impact

Successful exploitation allows the attacker to retrieve, modify, or delete database contents. Additionally, the advisory states that the attacker may be able to execute arbitrary system commands on the affected system. This can lead to full compromise of the energy management system, affecting confidentiality, integrity, and availability.

Mitigation

Delta Electronics released fixed versions to address this vulnerability. According to the CISA advisory [1], users should upgrade to DIAEnergie v1.9.02.001 or later. A subsequent update (Update B) recommends v1.9.03.001. No workarounds are provided; upgrading is the only mitigation.