OTPulse
FeedAboutContact

Delta Electronics DIAView

Act Now9.8ICS-CERT ICSA-25-219-01Aug 7, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

DIAView versions 4.2.0.0 and earlier contain a path traversal vulnerability (CWE-22) that allows a remote attacker to read or write arbitrary files on the affected device. No authentication is required to exploit this vulnerability.

What this means
What could happen
An attacker could read sensitive configuration files or write malicious files to the DIAView system, potentially altering process parameters, disabling safety functions, or gaining persistence on your control system.
Who's at risk
Organizations operating Delta Electronics DIAView human-machine interfaces (HMIs) for process visualization and control. This affects facilities in water treatment, utilities, manufacturing, and HVAC systems that rely on DIAView for operator interfaces to view and command industrial processes.
How it could be exploited
An attacker connects to the DIAView device over the network without credentials and sends a crafted request using path traversal sequences (e.g., ../ or similar) to access or modify files outside the intended directory. This could be used to extract configuration files or overwrite system files.
Prerequisites
  • Network access to the DIAView device (typically port 80/443 or the application port)
  • No authentication required
  • DIAView version 4.2.0.0 or earlier
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)path traversal allows file read/write
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (1)
ProductAffected VersionsFix Status
DIAView: 4.2.0.04.2.0.04.3.0 or later
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGIsolate DIAView systems from the Internet and place them behind a firewall
HARDENINGRestrict network access to DIAView to only authorized engineering workstations and control networks
HARDENINGIf remote access to DIAView is required, implement a VPN or secure jump host; do not expose DIAView directly to untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DIAView to version 4.3.0 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6ed2f73b-1121-47f4-89dd-56cd73593148
Delta Electronics DIAView | CVSS 9.8 - OTPulse