Delta Electronics DIAEnergie

Plan PatchCVSS 9.8ICS-CERT ICSA-24-277-03Oct 3, 2024

Delta Electronics

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

DIAEnergie versions 1.10.01.008 and earlier contain SQL injection vulnerabilities (CWE-89) that could allow an attacker to retrieve sensitive data from the system database or cause denial of service. The application fails to properly validate user input before using it in SQL queries, allowing arbitrary SQL commands to be executed. The vulnerability is remotely exploitable and requires no authentication.

What this means

What could happen

An attacker could exploit SQL injection flaws in DIAEnergie to read sensitive data from the energy management system database or cause the service to crash, disrupting energy monitoring and management operations.

Who's at risk

This affects organizations that use Delta Electronics DIAEnergie for energy management and monitoring. Energy utilities, industrial facilities with onsite power management, and facility managers who rely on DIAEnergie for monitoring power consumption, demand, or renewable energy integration should prioritize patching and network isolation.

How it could be exploited

An attacker with network access to the DIAEnergie application would send a specially crafted SQL query through an unprotected input field. The application fails to properly validate the input, allowing the attacker to execute arbitrary SQL commands against the backend database to extract records or disrupt service availability.

Prerequisites

Network access to the DIAEnergie application port (typically HTTP/HTTPS)
No credentials required to trigger the vulnerability
DIAEnergie version 1.10.01.008 or earlier

Remotely exploitable without authenticationLow attack complexityHigh CVSS score (9.8)SQL injection (CWE-89)Can cause data breach and denial of serviceAffects energy management and monitoring systems

Exploitability

Some exploitation risk — EPSS score 8.3%

Affected products (1)

ProductAffected VersionsFix Status

DIAEnergie: <=v1.10.01.008≤ v1.10.01.008v1.10.01.009

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the DIAEnergie application to only authorized engineering workstations and control center terminals; block inbound access from untrusted networks and the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DIAEnergie to version 1.10.01.009 or later by contacting Delta Electronics regional sales or agents

Long-term hardening

0/2

HARDENINGDeploy the DIAEnergie system behind a firewall and on a network segment isolated from business networks and internet-facing systems

HARDENINGIf remote access to DIAEnergie is required, implement a VPN with current security patches and restrict access to named users and devices only

CVEs (2)

CVE-2024-43699 CVE-2024-42417

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d057ce46-ede0-4b84-a35e-98e0cace3256

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.