Delta Electronics DIAEnergie

Act Now9.8ICS-CERT ICSA-24-277-03Oct 3, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

DIAEnergie versions v1.10.01.008 and earlier contain SQL injection vulnerabilities (CWE-89) that allow an unauthenticated attacker with network access to execute arbitrary SQL queries. Successful exploitation could allow retrieval of sensitive records from the DIAEnergie database or cause denial of service by consuming system resources.

What this means

What could happen

An attacker could extract sensitive data from DIAEnergie or disrupt energy management operations by executing SQL injection attacks, potentially compromising power distribution visibility or causing temporary outages through service denial.

Who's at risk

Energy utilities and industrial facilities using Delta Electronics DIAEnergie for power distribution management and energy monitoring. This impacts anyone relying on DIAEnergie for visibility into electrical loads, demand management, or equipment status across their facility.

How it could be exploited

An attacker with network access to DIAEnergie can send specially crafted SQL commands through an unauthenticated network interface. The application does not properly validate input, allowing the attacker to inject malicious SQL queries that retrieve unauthorized data or consume system resources to cause denial of service.

Prerequisites

Network access to DIAEnergie application port
No authentication required
DIAEnergie version v1.10.01.008 or earlier

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)SQL injection vulnerabilityHigh EPSS score (8.3%)

Exploitability

Moderate exploit probability (EPSS 8.3%)

Affected products (1)

ProductAffected VersionsFix Status

DIAEnergie: <=v1.10.01.008≤ v1.10.01.008v1.10.01.009

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate DIAEnergie behind a firewall; restrict network access to only authorized engineering workstations and control system networks

HARDENINGDisable remote internet access to DIAEnergie; require VPN with multi-factor authentication for any off-site engineering access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DIAEnergie to version v1.10.01.009 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to separate DIAEnergie from business networks and internet-facing systems

CVEs (2)

CVE-2024-43699 CVE-2024-42417

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d057ce46-ede0-4b84-a35e-98e0cace3256