cbcvebase.
CVE-2024-4548
published 2024-05-06

CVE-2024-4548: An SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.43%
97.9th percentile
An SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field.

Affected

2 ranges
VendorProductVersion rangeFixed in
delta_electronicsdiaenergie<= 1.10.1.8610
deltawwdiaenergie< 1.10.01.0041.10.01.004

Detection & IOCsextracted from sources · hover to see the quote

port928
commandecho -n "RecalculateHDMWYC~2024-01-01 00:00:00~2024-01-02 00:00:00~1); UPDATE DIAEnergie.dbo.DIAE_us SET pw=N'uV5SW+n71LS/S/Bjd426N1hNF1r70booEbICe8yhAxc=' WHERE uid=1;--" | nc 928
processCEBC.exe
  • Monitor TCP port 928 for unauthenticated connections sending messages starting with 'RecalculateHDMWYC' — the fourth '~'-delimited field is the SQLi injection point.
  • Detect SQL injection payloads in the fourth field of 'RecalculateHDMWYC' messages on TCP/928, specifically patterns containing SQL keywords such as INSERT, UPDATE, or stacked queries (e.g., ');).
  • Exploitation results in command execution as NT AUTHORITY\SYSTEM via CEBC service; monitor for unexpected child processes spawned by CEBC.exe.
  • A public Metasploit module exists for this vulnerability (exploits/windows/scada/diaenergie_sqli); monitor for exploitation attempts matching that module's traffic pattern on TCP/928.
  • ·The vulnerability is unauthenticated — no credentials are required to exploit TCP/928; the service must be network-accessible for exploitation to succeed.
  • ·Affected versions are DIAEnergie v1.10.1.8610 and prior; patched version is v1.10.01.004 or later.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.