CVE-2022-26065 - Vulnerability Details - OpenCVE

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Deltaww	Diaenergie

Configuration 1 [-]

cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01

History

Wed, 16 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-03-29T16:37:08.222Z

Updated: 2025-04-16T16:36:24.327Z

Reserved: 2022-03-14T00:00:00.000Z

Link: CVE-2022-26065

Vulnrichment

Updated: 2024-08-03T04:56:37.454Z

NVD

Status : Modified

Published: 2022-03-29T17:15:15.693

Modified: 2024-11-21T06:53:22.197

Link: CVE-2022-26065

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [{"lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."}], "datePublic": "2022-03-22T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-29T16:23:23.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}], "solutions": [{"lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices"}], "source": {"advisory": "ICSA-22-081-01", "discovery": "UNKNOWN"}, "title": "Delta Electronics DIAEnergie SQL Injection in GetLatestDemandNode and GetDemandAnalysisData", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26065", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in GetLatestDemandNode and GetDemandAnalysisData"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DIAEnergie", "version": {"version_data": [{"version_affected": "<", "version_value": "1.8.02.004"}]}}]}, "vendor_name": "Delta Electronics"}]}}, "credit": [{"lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}]}, "solution": [{"lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices"}], "source": {"advisory": "ICSA-22-081-01", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.454Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:57:13.896488Z", "id": "CVE-2022-26065", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:36:24.327Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26065", "datePublished": "2022-03-29T16:37:08.222Z", "dateReserved": "2022-03-14T00:00:00.000Z", "dateUpdated": "2025-04-16T16:36:24.327Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.454Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-26065", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T15:57:13.896488Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:57:15.552Z"}}], "cna": {"title": "Delta Electronics DIAEnergie SQL Injection in GetLatestDemandNode and GetDemandAnalysisData", "source": {"advisory": "ICSA-22-081-01", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Delta Electronics", "product": "DIAEnergie", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.8.02.004", "versionType": "custom"}]}], "solutions": [{"lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices"}], "datePublic": "2022-03-22T00:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-04-29T16:23:23.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "ICSA-22-081-01", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.8.02.004", "version_affected": "<"}]}, "product_name": "DIAEnergie"}]}, "vendor_name": "Delta Electronics"}]}}, "solution": [{"lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-26065", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in GetLatestDemandNode and GetDemandAnalysisData", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-26065", "state": "PUBLISHED", "dateUpdated": "2025-04-16T16:36:24.327Z", "dateReserved": "2022-03-14T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-03-29T16:37:08.222Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFE259F4-C6EC-41EE-B1E1-693C9248931F", "versionEndExcluding": "1.8.02.004", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}, {"lang": "es", "value": "Delta Electronics DIAEnergie (Todas las versiones anteriores a la 1.8.02.004) tiene una vulnerabilidad de inyecci\u00f3n SQL ciega en GetLatestDemandNode. Esto permite a un atacante inyectar consultas SQL arbitrarias, recuperar y modificar el contenido de la base de datos y ejecutar comandos del sistema"}], "id": "CVE-2022-26065", "lastModified": "2024-11-21T06:53:22.197", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-29T17:15:15.693", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Secondary"}]}