Delta Electronics has issued an alert regarding critical vulnerabilities in its DIAEnergie industrial energy management system, detailed under advisory code ICSA-24-123-02. The vulnerabilities, identified as CVE-2024-34031, CVE-2024-34032, and CVE-2024-34033, involve SQL injection and path traversal, each with a CVSS v4 base score of 9.3. Exploitation of these vulnerabilities could allow an authenticated attacker with limited privileges to escalate their access, retrieve confidential information, upload arbitrary files, backdoor the application, and ultimately compromise the system.
Specifically, the SQL injection vulnerabilities exist in the scripts Handler_CFG.ashx and GetDIACloudList, enabling attackers to compromise the system. Additionally, the path traversal vulnerability arises from improper input validation, allowing attackers to write outside the intended directory. These issues affect DIAEnergie versions v1.10.00.005 and earlier, widely deployed in critical infrastructure sectors such as energy.
Delta Electronics recommends updating to DIAEnergie version 1.10.01.004 to address these vulnerabilities. Furthermore, CISA advises minimizing network exposure, locating control system networks behind firewalls, and using secure remote access methods like VPNs. Organizations should also perform risk assessments and implement cybersecurity best practices to defend against potential exploits.
Michael Heinzl reported these vulnerabilities to CISA, highlighting the need for prompt action to secure affected systems. While there have been no known public exploits targeting these vulnerabilities, proactive measures are essential to protect against potential threats. CISA’s website offers additional resources and guidance for enhancing ICS cybersecurity.
