Details of VAR-202203-2076

ID

VAR-202203-2076

TITLE

(0Day) Delta Industrial Automation DIAEnergie HandlerPage_KID Arbitrary File Upload Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-22-423

DESCRIPTION

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation DIAEnergie. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the HandlerPage_KID endpoint. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of web server.

Trust: 0.7

sources: ZDI: ZDI-22-423

AFFECTED PRODUCTS

vendor:

delta industrial automation

model:

diaenergie

scope:

version:

Trust: 0.7

sources: ZDI: ZDI-22-423

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	ZDI-22-423
value:	CRITICAL
Trust: 0.7

ZDI:	ZDI-22-423
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-423

EXTERNAL IDS

db:	ZDI_CAN	id:	ZDI-CAN-15580	Trust: 0.7
db:	ZDI	id:	ZDI-22-423	Trust: 0.7

sources: ZDI: ZDI-22-423

CREDITS

Dusan Stevanovic from Trend Micro Security Research

Trust: 0.7

sources: ZDI: ZDI-22-423

SOURCES

db:

ZDI

id:

ZDI-22-423

LAST UPDATE DATE

2022-05-17T02:08:52.082000+00:00

SOURCES UPDATE DATE

db:

ZDI

id:

ZDI-22-423

date:

2022-03-30T00:00:00

SOURCES RELEASE DATE

db:

ZDI

id:

ZDI-22-423

date:

2022-03-01T00:00:00