CRITICAL🇵🇱 Wersja polska

CVE-2024-4548

CVSS 9.8v3.1pub. 2024-05-06upd. 2025-06-27

An SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field.

🤖 AI Analysis
How it works

The vulnerability occurs in the CEBC.exe process, which handles 'RecalculateHDMWYC' type messages. This message is split into four fields using '~' as a separator. The fourth field is not properly validated, which enables malicious SQL code injection. An attacker can send a specially crafted network message without needing any credentials, thereby triggering unauthorized database operations.

Impact

An unauthenticated remote attacker can gain unauthorized access to data stored in the database, modify or delete data, and depending on the environment configuration, potentially take control of the system with database server privileges.

Mitigation & patch

Apply patches available from the manufacturer according to the references. It is also recommended to restrict network access to DIAEnergie systems exclusively to trusted hosts and use a firewall to limit exposure of the CEBC.exe process to unauthorized network traffic.

Who is affected

Delta Electronics DIAEnergie version v1.10.1.8610 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Deltaww Diaenergie

    APP
    Deltaww
    < 1.10.01.004
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2024-43699CRITICAL9.3PL ✓ten sam produkt

SQL Injection w Delta Electronics DIAEnergie — dostęp do danych bez uwierzytelnienia

CVE-2024-4547CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Delta Electronics DIAEnergie — nieuwierzytelniony dostęp zdalny

CVE-2022-43775CRITICAL9.8ten sam produkt

The HICT_Loop class in Delta Electronics DIAEnergy v1.9 contains a SQL Injection flaw that could allow an atta...

CVE-2022-43774CRITICAL9.8ten sam produkt

The HandlerPageP_KID class in Delta Electronics DIAEnergy v1.9 contains a SQL Injection flaw that could allow ...

CVE-2022-3214CRITICAL9.8ten sam produkt

Delta Industrial Automation's DIAEnergy, an industrial energy management system, is vulnerable to CWE-798, Use...

CVE-2024-4548 — Deltaww — Diaenergie — CRITICAL — CVSS 9.8 | CVEbaza.pl