Delta Electronics DIAEnergie (Update C)

Act Now9.8ICS-CERT ICSA-21-238-03Aug 26, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Delta Electronics DIAEnergie versions prior to 1.9 contain multiple critical vulnerabilities enabling password theft, remote code execution, cross-site request forgery, SQL injection, cross-site scripting, and authentication bypass. Successful exploitation could allow an attacker to retrieve passwords in cleartext, remotely execute code, cause users to perform unintended actions, or gain administrative access to the device.

What this means

What could happen

An attacker with network access to DIAEnergie could steal administrator passwords in plaintext, execute arbitrary code on the device, trick users into performing unintended actions, or log in with admin privileges—potentially disrupting energy management and control operations.

Who's at risk

Operators of energy management and SCADA systems using Delta Electronics DIAEnergie software should prioritize this critical issue. This affects any municipal or utility facility using DIAEnergie for power monitoring, load management, or distributed energy resource control.

How it could be exploited

An attacker on the network can exploit multiple vulnerabilities including improper password storage (CWE-319), lack of CSRF protection (CWE-352), and code injection (CWE-89) to intercept credentials, upload malicious code via file upload (CWE-434), or bypass authentication (CWE-288) to gain administrative access to the DIAEnergie system.

Prerequisites

Network access to DIAEnergie device or web interface
No authentication required for initial exploitation of some vulnerabilities
Device running DIAEnergie version 1.9 or earlier

remotely exploitableno authentication required for some attack pathslow complexityno patch availablecritical CVSS score (9.8)

Exploitability

Moderate exploit probability (EPSS 2.3%)

Affected products (1)

ProductAffected VersionsFix Status

DIAEnergie: All< 1.9No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate DIAEnergie devices from the business network and Internet; place them behind a firewall with strict access controls

WORKAROUNDRestrict network access to DIAEnergie to only authorized engineering and operations personnel using IP whitelisting or network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access is required, implement a VPN gateway between remote users and the DIAEnergie network, and keep VPN software updated

HOTFIXMonitor DIAEnergie for vendor security updates and apply patches immediately when available

CVEs (13)

CVE-2021-33003 CVE-2021-32967 CVE-2021-32955 CVE-2021-32983 CVE-2021-38390 CVE-2021-38391 CVE-2021-38393 CVE-2021-32991 CVE-2021-23228 CVE-2021-44544 CVE-2021-31558 CVE-2021-44471 CVE-2022-0988

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7c3cbc46-7901-47a8-8fcf-163c90e206c2