Login Sign Up

CVE-2024-43699

9.8 CRITICAL
SQL Injection

📋 TL;DR

Delta Electronics DIAEnergie has an SQL injection vulnerability in the AM_RegReport.aspx script that allows unauthenticated attackers to extract database records. This affects industrial control systems using vulnerable versions of DIAEnergie software. Organizations using this energy management software for critical infrastructure are at risk.

💻 Affected Systems

Products:
  • Delta Electronics DIAEnergie
Versions: All versions prior to 1.10.1.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: DIAEnergie is typically deployed on Windows Server environments in industrial control settings.

📦 What is this software?

Diaenergie by Deltaww

View all CVEs affecting Diaenergie →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the DIAEnergie database including sensitive operational data, credentials, and potential lateral movement to connected industrial control systems.

🟠

Likely Case

Unauthorized access to energy management data, configuration details, and potentially credential harvesting from the database.

🟢

If Mitigated

Limited to attempted exploitation attempts that are blocked by network controls and monitoring.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly exploited and this requires no authentication, making it attractive to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.1.0

Vendor Advisory: https://www.deltaww.com/en-US/Cybersecurity_Advisory

Restart Required: Yes

Instructions:

1. Download DIAEnergie version 1.10.1.0 from Delta Electronics portal. 2. Backup current installation and database. 3. Run the installer to upgrade. 4. Restart the DIAEnergie service and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DIAEnergie systems from untrusted networks and internet access

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

  • Implement strict network access controls to limit access to DIAEnergie web interface
  • Deploy intrusion detection systems monitoring for SQL injection patterns against AM_RegReport.aspx

🔍 How to Verify

Check if Vulnerable:

Check DIAEnergie version in web interface or installation directory. Versions below 1.10.1.0 are vulnerable.

Check Version:

Check web interface or installation properties for version number

Verify Fix Applied:

Verify version shows 1.10.1.0 or higher in DIAEnergie interface and test that AM_RegReport.aspx endpoint properly validates input.

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from web server
  • Multiple failed SQL syntax attempts
  • Access to AM_RegReport.aspx with suspicious parameters

Network Indicators:

  • HTTP requests to AM_RegReport.aspx containing SQL keywords
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="*AM_RegReport.aspx*" AND (query="*SELECT*" OR query="*UNION*" OR query="*INSERT*" OR query="*DELETE*")

📊 Metadata

CVE ID: CVE-2024-43699
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 3, 2024
Last Updated: October 8, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43699, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)