PatchSiren cyber security CVE debrief
CVE-2024-43699 Delta Electronics CVE debrief
Delta Electronics DIAEnergie industrial energy management system contains a critical SQL injection vulnerability in the AM_RegReport.aspx script. The flaw allows unauthenticated remote attackers to extract database records without authentication. CISA published advisory ICSA-24-277-03 on October 3, 2024, documenting this vulnerability with a CVSS 3.1 score of 9.8 (Critical). The affected product is DIAEnergie version 1.10.01.008 and earlier. Delta Electronics has released version 1.10.01.009 to address this issue. Organizations should prioritize patching given the unauthenticated network attack vector and complete confidentiality, integrity, and availability impact.
- Vendor
- Delta Electronics
- Product
- DIAEnergie
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-03
- Original CVE updated
- 2024-10-03
- Advisory published
- 2024-10-03
- Advisory updated
- 2024-10-03
Who should care
Organizations operating Delta Electronics DIAEnergie industrial energy management systems, particularly in manufacturing, utilities, and critical infrastructure sectors. Security teams responsible for OT/ICS environments, energy management system administrators, and compliance officers maintaining NERC CIP or IEC 62443 standards should prioritize assessment and remediation.
Technical summary
The AM_RegReport.aspx script in Delta Electronics DIAEnergie fails to properly sanitize user-supplied input, enabling SQL injection attacks. An unauthenticated attacker can send crafted HTTP requests to manipulate database queries and extract sensitive records. The vulnerability is network-exploitable without authentication, resulting in complete compromise of confidentiality, integrity, and availability per CVSS 3.1 scoring. Affected versions are DIAEnergie 1.10.01.008 and earlier. The vendor has released version 1.10.01.009 as a security fix.
Defensive priority
critical
Recommended defensive actions
- Contact Delta Electronics regional sales or agents to obtain DIAEnergie v1.10.01.009 and apply the vendor fix immediately
- Review the Delta product cybersecurity advisory for additional technical details and mitigation guidance
- Implement network segmentation to restrict DIAEnergie system access to authorized personnel only
- Monitor for anomalous database queries or unexpected data access patterns in DIAEnergie deployments
- Apply CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
Evidence notes
CISA CSAF advisory ICSA-24-277-03 published 2024-10-03 identifies SQL injection in AM_RegReport.aspx affecting DIAEnergie <=v1.10.01.008. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms unauthenticated network exploitable with high impact across all CIA triad components. Vendor fix available in v1.10.01.009 per remediation guidance.
Official resources
-
CVE-2024-43699 CVE record
CVE.org
-
CVE-2024-43699 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-03