CVE-2026-9642

Vulnerability

The vulnerability is a mitigation bypass for CVE-2025-62582, which originally allowed unauthenticated remote database access in Delta Electronics DIAView. The fix for CVE-2025-62582 was incomplete, leaving a code path that still permits an unauthenticated remote attacker to access configured databases in a DIAView project [1]. The exact affected versions are not specified in the available references, but the issue affects DIAView installations that have applied the initial patch.

Exploitation

An attacker requires network access to the DIAView application. No authentication or user interaction is needed. The attacker can exploit the incomplete fix by sending specially crafted requests that bypass the intended mitigation, thereby reaching the database access functionality [1]. The specific sequence of steps is not detailed in the references, but the attack is remotely exploitable over the network.

Impact

Successful exploitation allows an unauthenticated remote attacker to access configured databases within the DIAView project. This leads to unauthorized disclosure of sensitive data stored in those databases, such as configuration details, credentials, or operational data. The attacker gains read access to the database contents, compromising confidentiality [1].

Mitigation

As of the publication date (2026-05-26), there is no fix available for this bypass [1]. Delta Electronics acknowledged the limitation of the original fix and stated they will update their advisory and enhance protection of their keys in the future, but no patch has been released [1]. Users should monitor vendor advisories for updates. No workaround is provided in the references. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.