CVE-2021-38390

Name of the Vulnerable Software and Affected Versions Delta Electronics DIAEnergie versions 1.7.5 and prior

Description A Blind SQL injection issue exists due to improper validation of the user-controlled value supplied through the egyid parameter in the "/DataHandler/HandlerEnergyType.ashx" endpoint. This allows a remote, unauthenticated attacker to execute arbitrary code in the context of NT SERVICEMSSQLSERVER.

Recommendations For Delta Electronics DIAEnergie versions 1.7.5 and prior, consider restricting access to the "/DataHandler/HandlerEnergyType.ashx" endpoint until a patch is available. As a temporary workaround, avoid using the egyid parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.