CVE-2022-43775

Vulnerability

The vulnerability resides in the HICT_Loop class of Delta Electronics DIAEnergie version 1.9. The class constructs SQL queries using string formatting with user-supplied parameters (hid, egid, kid, eccid) without proper sanitization, allowing SQL injection. The affected endpoint is likely reachable via the HICT_Loop handler. [1]

Exploitation

An unauthenticated remote attacker can send crafted HTTP requests to the vulnerable endpoint, injecting SQL commands through the hid, egid, kid, or eccid parameters. No authentication or user interaction is required. The attack vector is network-based with low complexity. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements, potentially leading to full compromise of the database. The advisory notes that this can result in remote code execution on the underlying system, as SQL injection can be leveraged to write files or execute commands depending on database permissions. The CVSS score is 9.8 (Critical) with impacts to confidentiality, integrity, and availability. [1]

Mitigation

Delta Electronics has not released a patch as of the advisory publication date (2022-10-26). Users should apply network segmentation and restrict access to the DIAEnergie web interface to trusted hosts. Monitor for updates from Delta. The vulnerability is not listed in CISA KEV as of this writing. [1]