CRITICALđŸ‡”đŸ‡± Wersja polska

CVE-2024-4547

CVSS 9.8v3.1pub. 2024-05-06upd. 2025-06-27

A SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateScript' message, which is splitted into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field

đŸ€– AI Analysis
How it works

The CEBC.exe process handles 'RecalculateScript' type messages, which are split into 4 fields using '~' as a separator. The fourth field passed in this message is not properly validated or sanitized, which classifies the vulnerability as CWE-20 (Improper Input Validation) and CWE-89 (SQL Injection). An unauthenticated remote attacker can craft an appropriate message containing a malicious SQL payload and send it to the vulnerable process, gaining the ability to manipulate the database.

Impact

An attacker can gain unauthorized access to the database, read, modify or delete stored data, and potentially take control of the energy management system, which in industrial environments may lead to serious operational disruptions.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. It is recommended to update to a version higher than v1.10.1.8610. Additionally, until the patch is deployed, it is recommended to restrict network access to the DIAEnergie system through a firewall and isolate the system in the OT/ICS network in accordance with the principle of least privilege.

Who is affected

Delta Electronics DIAEnergie version v1.10.1.8610 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Deltaww Diaenergie

    APP
    Deltaww
    < 1.10.01.004
đŸ””
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2024-43699CRITICAL9.3PL ✓ten sam produkt

SQL Injection w Delta Electronics DIAEnergie — dostęp do danych bez uwierzytelnienia

CVE-2024-4548CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Delta Electronics DIAEnergie via RecalculateHDMWYC

CVE-2022-43775CRITICAL9.8ten sam produkt

The HICT_Loop class in Delta Electronics DIAEnergy v1.9 contains a SQL Injection flaw that could allow an atta...

CVE-2022-43774CRITICAL9.8ten sam produkt

The HandlerPageP_KID class in Delta Electronics DIAEnergy v1.9 contains a SQL Injection flaw that could allow ...

CVE-2022-3214CRITICAL9.8ten sam produkt

Delta Industrial Automation's DIAEnergy, an industrial energy management system, is vulnerable to CWE-798, Use...

CVE-2024-4547 — Deltaww — Diaenergie — CRITICAL — CVSS 9.8 | CVEbaza.pl