Delta Electronics DIAEnergie (Update C)
Act Now9.8ICS-CERT ICSA-22-081-01Mar 22, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Delta Electronics DIAEnergie contains multiple vulnerabilities (path traversal, SQL injection, insecure permissions, and arbitrary file operations) that allow remote code execution without authentication. Exploitation could enable an attacker to run commands on energy management devices and disrupt operations. All versions prior to 1.9 are affected.
What this means
What could happen
Remote code execution on DIAEnergie systems could allow an attacker to run arbitrary commands on energy management devices, potentially altering power distribution setpoints, disabling controls, or disrupting grid operations.
Who's at risk
Operators and administrators of Delta Electronics DIAEnergie energy management systems, including utilities and industrial facilities managing power distribution, demand response, or load management. This affects all deployed versions prior to 1.9.
How it could be exploited
An attacker with network access to a DIAEnergie device can exploit path traversal (CWE-37) or SQL injection (CWE-89) vulnerabilities to upload and execute malicious code. The attack requires no authentication or user interaction.
Prerequisites
- Network access to DIAEnergie device (reachable from the network)
- Device running vulnerable version (< 1.9)
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects energy management and grid operations
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
DIAEnergie: All< 1.91.9 or later
Remediation & Mitigation
0/5
Do now
0/2HARDENINGImplement network firewall rules to restrict access to DIAEnergie devices from untrusted networks and the Internet
HARDENINGDisable remote access to programming software unless absolutely necessary; if required, use VPN with strong authentication
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpgrade DIAEnergie to version 1.9 or later
HARDENINGIsolate control system networks from business network using network segmentation
HARDENINGDeploy application firewall capable of detecting path traversal and SQL injection attacks
CVEs (29)
CVE-2022-25347CVE-2022-26839CVE-2022-26667CVE-2022-1098CVE-2022-26349CVE-2022-26013CVE-2022-26836CVE-2022-0923CVE-2022-26059CVE-2022-26069CVE-2022-27175CVE-2022-25980CVE-2022-26338CVE-2022-26065CVE-2022-26666CVE-2022-26887CVE-2022-25880CVE-2022-26514CVE-2022-1366CVE-2022-1367CVE-2022-1378CVE-2022-1377CVE-2022-1376CVE-2022-1375CVE-2022-1374CVE-2022-1372CVE-2022-1371CVE-2022-1370CVE-2022-1369
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/13513125-f35a-49b8-85e5-50a621ba6d83