First published: Tue Mar 22 2022(Updated: )
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_eccoefficientHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
Credit: ics-cert@hq.dhs.gov
Affected Software | Affected Version | How to fix |
---|---|---|
Deltaww Diaenergie | <1.8.02.004 | |
Delta Electronics DIAEnergie | <1.9 | 1.9 |
Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022. Delta also suggests users: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network. Use an application firewall that can detect attacks against “Path Traversal” and “SQL Injection” weakness. Never connect programming software to any network other than the network intended for that device. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2022-26349.
The severity of CVE-2022-26349 is critical, with a severity value of 9.8.
The affected software for CVE-2022-26349 is Delta Electronics DIAEnergie versions prior to 1.8.02.004.
CVE-2022-26349 is a blind SQL injection vulnerability in Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) that exists in DIAE_eccoefficientHandler.ashx, allowing an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
Yes, updating to version 1.8.02.004 or later of Delta Electronics DIAEnergie will fix the vulnerability.