cbcvebase.
CVE-2024-4547
published 2024-05-06

CVE-2024-4547: A SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateScript' message, which is splitted…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.90%
77.0th percentile
A SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateScript' message, which is splitted into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field

Affected

2 ranges
VendorProductVersion rangeFixed in
delta_electronicsdiaenergie<= 1.10.1.8610
deltawwdiaenergie< 1.10.01.0041.10.01.004

Detection & IOCsextracted from sources · hover to see the quote

port928
commandecho -n "RecalculateScript~2024-01-01 00:00:00~2024-01-02 00:00:00~1); UPDATE DIAEnergie.dbo.DIAE_us SET pw=N'exJ/3E15SkSjem/EOj/ JubyAEzX5F5zrBVKdPff2C9I=' WHERE uid=1;--" | nc 928
processCEBC.exe
  • Monitor TCP port 928 for inbound connections to CEBC.exe; any unauthenticated message beginning with 'RecalculateScript' followed by '~'-delimited fields should be treated as a potential SQLi attempt.
  • Detect SQL injection payloads in the fourth '~'-separated field of 'RecalculateScript' messages on TCP/928, specifically patterns such as ');INSERT, ');UPDATE, or '--' terminators targeting DIAEnergie.dbo tables.
  • Alert on writes to the DIAE_script table from network-originated SQL sessions, as the exploit inserts VBScript payloads executed as SYSTEM.
  • Alert on modifications to DIAE_us (uid=1) from network-originated SQL sessions, as the exploit is used to change the DIAEnergie root password.
  • ·The vulnerability is unauthenticated — CEBC.exe on TCP/928 requires no credentials before processing 'RecalculateScript' messages, meaning network-level access alone is sufficient for exploitation.
  • ·The injected SQL executes under the DIAEnergie SQL Server context; VBScript payloads inserted into DIAE_script are subsequently executed as SYSTEM, enabling full OS-level compromise.
  • ·Affected version is DIAEnergie v1.10.1.8610 and prior; patch target is v1.10.01.004 or later, which may require contacting a sales representative to obtain.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.