Details of VAR-202403-0789

ID

VAR-202403-0789

CVE

CVE-2024-28040

TITLE

Delta Electronics DIAEnergie SQL Injection Vulnerability (CNVD-2025-06626)

Trust: 0.6

sources: CNVD: CNVD-2025-06626

DESCRIPTION

SQL injection vulnerability exists in GetDIAE_astListParameters. Delta Electronics DIAEnergie is an industrial energy management system from Delta Electronics, a Taiwanese company, used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency. Delta Electronics DIAEnergie versions prior to v1.10.00.005 have a SQL injection vulnerability that allows attackers to view, add, modify, or delete information in the backend database

Trust: 1.44

sources: NVD: CVE-2024-28040 // CNVD: CNVD-2025-06626

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-06626

AFFECTED PRODUCTS

vendor:

delta

model:

electronics diaenergie

scope:

version:

1.10.00.005

Trust: 0.6

sources: CNVD: CNVD-2025-06626

CVSS

SEVERITY

CVSSV2

CVSSV3

ics-cert@hq.dhs.gov:	CVE-2024-28040
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2025-06626
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-06626
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ics-cert@hq.dhs.gov:	CVE-2024-28040
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-06626 // NVD: CVE-2024-28040

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.0

sources: NVD: CVE-2024-28040

PATCH

title:

Patch for Delta Electronics DIAEnergie SQL Injection Vulnerability (CNVD-2025-06626)

url:

https://www.cnvd.org.cn/patchInfo/show/676716

Trust: 0.6

sources: CNVD: CNVD-2025-06626

EXTERNAL IDS

db:	NVD	id:	CVE-2024-28040	Trust: 1.6
db:	ICS CERT	id:	ICSA-24-074-12	Trust: 1.0
db:	CNVD	id:	CNVD-2025-06626	Trust: 0.6

sources: CNVD: CNVD-2025-06626 // NVD: CVE-2024-28040

REFERENCES

url:	https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12	Trust: 1.0
url:	https://cxsecurity.com/cveshow/cve-2024-28040/	Trust: 0.6

sources: CNVD: CNVD-2025-06626 // NVD: CVE-2024-28040

SOURCES

db:	CNVD	id:	CNVD-2025-06626
db:	NVD	id:	CVE-2024-28040

LAST UPDATE DATE

2025-04-10T23:01:49.373000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-06626	date:	2025-04-08T00:00:00
db:	NVD	id:	CVE-2024-28040	date:	2024-03-22T12:45:36.130

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-06626	date:	2025-04-08T00:00:00
db:	NVD	id:	CVE-2024-28040	date:	2024-03-21T23:15:10.250