OTPulse

Delta Electronics DIAView

Plan PatchCVSS 9.8ICS-CERT ICSA-25-219-01Aug 7, 2025
Delta Electronics
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A path traversal vulnerability in Delta Electronics DIAView version 4.2.0.0 and earlier allows a remote attacker without authentication to read and write arbitrary files on the affected device via specially crafted network requests. This vulnerability has a critical CVSS v3.1 score of 9.8 with network attack vector, no privilege requirement, and no user interaction needed. Exploitation could allow an attacker to modify operational configurations, steal sensitive data, or alter process logic. Delta Electronics has released version 4.3.0 as a fix.

What this means
What could happen
An attacker with network access to DIAView could read or write arbitrary files on the device, potentially allowing them to modify configuration files, steal sensitive data, or alter operational logic used to control industrial processes.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using Delta Electronics DIAView for SCADA visualization and control. DIAView is commonly used to monitor and manage industrial processes, making it a high-value target in production environments.
How it could be exploited
An attacker would send a specially crafted network request to the vulnerable DIAView instance over the network. No authentication or user interaction is required. The malicious request exploits a path traversal vulnerability to access files outside the intended directory, enabling arbitrary read and write operations.
Prerequisites
  • Network access to the DIAView device on its service port
  • DIAView version 4.2.0.0 or earlier
Remotely exploitableNo authentication requiredLow complexityFile read/write access enables configuration tamperingCritical CVSS score (9.8)
Exploitability
Unlikely to be exploited — EPSS score 0.7%
Affected products (1)
ProductAffected VersionsFix Status
DIAView: 4.2.0.04.2.0.04.3.0+
Remediation & Mitigation
0/4
Do now
0/3
WORKAROUNDRestrict network access to DIAView ports using a firewall; only allow connections from authorized engineering workstations and SCADA servers
HARDENINGIsolate the DIAView device and its network from the Internet and from untrusted business networks
HARDENINGImplement VPN-only remote access to DIAView; disable any direct Internet connectivity or public exposure
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DIAView to version 4.3.0 or later
View full CISA ICS-CERT advisory
API: /api/v1/advisories/6ed2f73b-1121-47f4-89dd-56cd73593148

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Delta Electronics DIAView | CVSS 9.8 - OTPulse