PatchSiren cyber security CVE debrief
CVE-2024-34033 Delta Electronics CVE debrief
Delta Electronics DIAEnergie v1.10.00.005 contains a path traversal vulnerability due to insufficient input validation. An authenticated attacker with low privileges can exploit this flaw to write files outside the intended directory, with the additional risk of overwriting existing files on the target system. The vulnerability carries a HIGH severity CVSS 3.1 score of 8.8, reflecting significant confidentiality, integrity, and availability impacts. CISA published advisory ICSA-24-123-02 on May 2, 2024, coordinating disclosure of this industrial control system vulnerability. The affected product is an energy management system used in industrial environments, making this vulnerability particularly relevant to critical infrastructure operators.
- Vendor
- Delta Electronics
- Product
- DIAEnergie
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-02
- Original CVE updated
- 2024-05-02
- Advisory published
- 2024-05-02
- Advisory updated
- 2024-05-02
Who should care
Organizations operating Delta Electronics DIAEnergie energy management systems in industrial environments, particularly critical infrastructure operators in energy, manufacturing, and building automation sectors. Security teams responsible for ICS/OT asset protection and vulnerability management programs should prioritize this patch given the high CVSS score and potential for system compromise.
Technical summary
The vulnerability exists in DIAEnergie v1.10.00.005 due to insufficient input validation on file path parameters. An attacker can manipulate file name inputs to traverse directory structures and write files to arbitrary locations on the file system. When a specified file name matches an existing file, the original file is overwritten without validation. The attack requires network access and low-privilege authentication but does not require user interaction. Successful exploitation enables attackers to modify critical system files, potentially leading to code execution, system compromise, or denial of service in industrial energy management environments.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-supplied update to DIAEnergie v1.10.01.004 by contacting Delta Electronics regional sales or authorized agents
- Validate input sanitization on all file path parameters in DIAEnergie deployments pending patch application
- Implement network segmentation to restrict DIAEnergie system access to authorized administrative hosts only
- Monitor for anomalous file system write operations outside expected application directories
- Review file integrity monitoring alerts for unexpected modifications to critical system files
- Ensure backup and recovery procedures are tested and current before applying the vendor fix
Evidence notes
Vulnerability description and affected product version (DIAEnergie v1.10.00.005) confirmed through CISA CSAF advisory ICSA-24-123-02. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H sourced from official advisory. Remediation guidance provided by vendor through CISA coordination.
Official resources
-
CVE-2024-34033 CVE record
CVE.org
-
CVE-2024-34033 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA coordinated disclosure via ICSA-24-123-02 on May 2, 2024. No known exploitation in the wild has been reported. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.