Details of VAR-202403-0783

ID

VAR-202403-0783

CVE

CVE-2024-28171

TITLE

Delta Electronics DIAEnergie Path Traversal Vulnerability (CNVD-2025-06625)

Trust: 0.6

sources: CNVD: CNVD-2025-06625

DESCRIPTION

It is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten. Delta Electronics DIAEnergie is an industrial energy management system from Delta Electronics, Taiwan, China, used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency. Delta Electronics DIAEnergie versions prior to v1.10.00.005 have a path traversal vulnerability caused by improper user request validation. An attacker can exploit this vulnerability to write arbitrary files on the system by sending a specially crafted URL request containing a "dot-dot" sequence (/../)

Trust: 1.44

sources: NVD: CVE-2024-28171 // CNVD: CNVD-2025-06625

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-06625

AFFECTED PRODUCTS

vendor:

delta

model:

electronics diaenergie

scope:

version:

1.10.00.005

Trust: 0.6

sources: CNVD: CNVD-2025-06625

CVSS

SEVERITY

CVSSV2

CVSSV3

ics-cert@hq.dhs.gov:	CVE-2024-28171
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2025-06625
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-06625
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ics-cert@hq.dhs.gov:	CVE-2024-28171
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-06625 // NVD: CVE-2024-28171

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.0

sources: NVD: CVE-2024-28171

PATCH

title:

Patch for Delta Electronics DIAEnergie Path Traversal Vulnerability (CNVD-2025-06625)

url:

https://www.cnvd.org.cn/patchInfo/show/676711

Trust: 0.6

sources: CNVD: CNVD-2025-06625

EXTERNAL IDS

db:	NVD	id:	CVE-2024-28171	Trust: 1.6
db:	ICS CERT	id:	ICSA-24-074-12	Trust: 1.0
db:	CNVD	id:	CNVD-2025-06625	Trust: 0.6

sources: CNVD: CNVD-2025-06625 // NVD: CVE-2024-28171

REFERENCES

url:	https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12	Trust: 1.0
url:	https://cxsecurity.com/cveshow/cve-2024-28171/	Trust: 0.6

sources: CNVD: CNVD-2025-06625 // NVD: CVE-2024-28171

SOURCES

db:	CNVD	id:	CNVD-2025-06625
db:	NVD	id:	CVE-2024-28171

LAST UPDATE DATE

2025-04-11T22:44:38.991000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-06625	date:	2025-04-08T00:00:00
db:	NVD	id:	CVE-2024-28171	date:	2024-03-22T12:45:36.130

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-06625	date:	2025-04-08T00:00:00
db:	NVD	id:	CVE-2024-28171	date:	2024-03-21T23:15:10.693