Security Experts:

Connect with us

Hi, what are you looking for?



Exploitation of Flaws in Delta Energy Management System Could Have ‘Dire Consequences’

An industrial energy management system made by Delta Electronics is affected by several vulnerabilities whose exploitation could have serious consequences in a real world environment, according to the researcher who discovered the flaws.

An industrial energy management system made by Delta Electronics is affected by several vulnerabilities whose exploitation could have serious consequences in a real world environment, according to the researcher who discovered the flaws.

The existence of the vulnerabilities affecting Delta’s DIAEnergie product was disclosed last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the researcher who identified them, Michael Heinzl.

The security holes were reported to the vendor, through CISA, in April, but they have yet to be patched. CISA says patches are expected to become available on September 15. In the meantime, organizations using the affected product have been advised to implement mitigations to reduce the risk of exploitation.

DIAEnergie vulnerabilitiesHeinzl told SecurityWeek that the eight DIAEnergie vulnerabilities disclosed last week are just some of the issues he reported to the vendor. The remaining flaws will be disclosed at a later date.

Four of the eight vulnerabilities have been rated “critical” and described as blind SQL injection bugs that can be exploited by remote, unauthenticated attackers to execute arbitrary code.

“Critical” severity ratings have also been assigned to a vulnerability that can be exploited to add new admin users and gain access to the device, and a flaw that can be leveraged for unrestricted file uploads and possibly remote code execution.

The remaining two issues have been described as medium-severity flaws that can be exploited to obtain a password in clear text and to launch cross-site request forgery (CSRF) attacks.

The affected services are exposed to the network, which means the vulnerabilities can be exploited remotely, the researcher said. In some cases, exploitation from the internet might also be possible, depending on how the user’s network and infrastructure are configured.

“There are multiple ways how the vulnerabilities could be chained together,” Heinzl told SecurityWeek. “A malicious actor has multiple venues to achieve a complete compromise of both the DIAEnergie application itself, as well as the underlying system on which the application is deployed on.”

He added, “Examples include multiple SQL injections, which would allow an attacker to execute system commands or to retrieve credentials (stored as MD5 hashes, therefore trivial to crack) from the database, an arbitrary file upload vulnerability which also allows the execution of system commands, and others. Due to another issue related to authentication and authorization, it’s possible to exploit all of these and similar privileged actions without any prior authentication.”

DIAEnergie is an industrial energy management system (IEMS) designed to help companies visualize and improve electric and power systems, particularly high-consumption equipment. The product can be used for remote maintenance and it can be integrated with various industrial control systems (ICS) and data sinks, including power meters, programmable logic controllers (PLCs) and other Modbus devices.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

In its advisory, CISA says the product is used worldwide. Marketing materials provided by the vendor show that the product is used by various types of organizations, including a semiconductor factory, a bearing manufacturer, and a footwear company.

“The consequences of a malicious actor’s actions could be dire for affected customers — falsifying monitoring data, suppressing alarms, using the system as the initial foothold in the network infrastructure for further pivoting, or simply ‘ransomwaring’ the deployment as has become so prevalent over the last five years or so,” Heinzl explained.

SecurityWeek has reached out to the vendor for comment, but the company has yet to respond.

CISA last week also published a separate advisory describing a high-severity remote code execution vulnerability affecting Delta’s DOPSoft HMI design software. Exploitation of this flaw involves getting the targeted user to open a specially crafted file.

The vulnerability was reported to the vendor through Trend Micro’s Zero Day Initiative (ZDI) by an anonymous researcher. ZDI over the past few months has published several advisories with a “0Day” status for Delta vulnerabilities — a “0Day” status indicates that the bugs have not been patched.

Related: Analysis of ICS Exploits Can Help Defenders Prioritize Vulnerability Remediation

Related: Industrial Firms Warned of Risk Posed by Cloud-Based ICS Management Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...