CVE-2022-43774

Vulnerability

The HandlerPageP_KID class in Delta Electronics DIAEnergie v1.9 contains a SQL injection vulnerability. The flaw exists in the ProcessRequest() method when handling the URL endpoint /DataHandler/HandlerPageP_KID.ashx with the ttype parameter set to GetUDcontent. The HtmlId and KID URL parameters are directly concatenated into a SQL query without sanitization, allowing an attacker to inject arbitrary SQL statements [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP POST request to the vulnerable endpoint. The attacker does not need any prior authentication or user interaction. The Tenable advisory provides a proof-of-concept that demonstrates changing the DIAEnergie root password by injecting a SQL UPDATE statement via the KID parameter [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the backend database. This can lead to full compromise of the DIAEnergie application, including code execution on the remote system, as stated in the CVE description. The CVSS v3.1 base score is 9.8 (Critical) with impacts to confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2022-10-26), no official patch was available from Delta Electronics. Users should monitor vendor advisories for updates and consider upgrading to a patched version when released. If no fix is available, network segmentation and strict access controls to the DIAEnergie web interface may reduce exposure [1].