DIAEnergie is a popular energy management software made by Delta Electronics. In late 2022, security researchers discovered a critical vulnerability in some versions of DIAEnergie (before v1.9.01.002) that could let attackers sneak harmful SQL code straight into the heart of its database. That’s CVE-2022-40967.

This article breaks down what went wrong, how it can be exploited, and how you can protect yourself from similar threats.

What’s the Problem? (A Quick Summary)

In plain English: Old versions of DIAEnergie have a bug in one of their web functions, called CheckIoTHubNameExisted. If a logged-in user (even with basic rights) sends it a sneaky request, they can insert and run arbitrary SQL commands in the database. That can mean hijacking accounts, stealing data, or messing with system operations.

Where Did the Vulnerability Happen?

Vulnerability Type: SQL Injection  
Vulnerable Component: CheckIoTHubNameExisted  
Affected Versions: DIAEnergie prior to v1.9.01.002

SQL injection happens when user input is passed straight into a database command without proper safety checks, letting attackers add their own instructions.

Here’s an illustration of what might’ve caused the problem, based on typical web API design

// THIS IS INSECURE CODE – for educational purposes only!
public JsonResult CheckIoTHubNameExisted(string hubName)
{
    string query = "SELECT COUNT(*) FROM IoTHubs WHERE HubName = '" + hubName + "'";
    int count = db.ExecuteScalar(query);
    return Json(new { exists = count >  });
}

If someone puts abc' OR 1=1 -- as their hubName, the SQL becomes

SELECT COUNT(*) FROM IoTHubs WHERE HubName = 'abc' OR 1=1 --'

This will always return a positive count, tricking the app—and that’s just a start. A creative attacker can do much more.

How Bad Is It? (Impact)

Who can exploit it? Any logged-in user—even with just low privileges.

Step-By-Step Attack Scenario

Let’s say you’re a regular user with credentials.

Log in to the DIAEnergie web portal.

2. Intercept your traffic using a tool like Burp Suite.

Example Raw HTTP POST

POST /CheckIoTHubNameExisted HTTP/1.1
Host: target-diaenergie.com
Cookie: sessionid=...
Content-Type: application/json

{
    "hubName": "abc' UNION SELECT username, password FROM Users --"
}

This kind of input can trick the app into leaking data from the Users table, including usernames and password hashes.

> Note: The exact details may vary based on server-side implementation, but the basic method is consistent.

2022 – Security researchers discover and report the issue.

- 2022-11-15Delta Electronics releases an advisory urging immediate updates.

Patch – Fixed in DIAEnergie v1.9.01.002 and later.

Official Advisory:  
CISA ICSA-22-319-02 Delta Electronics DIAEnergie  
Delta Security Notices

Write Your Code the Safe Way

The fix is simple: ALWAYS use parameterized queries. Here’s the safe version of the earlier API:

public JsonResult CheckIoTHubNameExisted(string hubName)
{
    string query = "SELECT COUNT(*) FROM IoTHubs WHERE HubName = @hubName";
    var param = new SqlParameter("@hubName", hubName);
    int count = db.ExecuteScalar(query, param);
    return Json(new { exists = count >  });
}

Conclusion

CVE-2022-40967 is a classic reminder: Even authenticated users can be a threat if you don’t carefully check all incoming data. Tools like DIAEnergie sit at the center of sensitive operational technology (OT) environments, and a simple SQL injection can cause chaos.

If you’re running DIAEnergie, patch now, lock down permissions, and run a security review. If you develop software, remember: user input is never safe—sanitize and validate everything.

Further Reading & References

- CISA Advisory ICSA-22-319-02
- Delta Electronics – Security Updates
- OWASP – SQL Injection
- SQL Injection Cheat Sheet

Stay safe! And always treat user input like the troublemaker it is.

Timeline

Published on: 10/27/2022 21:15:00 UTC
Last modified on: 10/28/2022 18:35:00 UTC