CVE-2022-43775 is a critical SQL Injection vulnerability identified in the HICT_Loop class of Delta Electronics DIAEnergy version 1.9. This flaw allows an unauthenticated remote attacker to inject malicious SQL commands due to improper sanitization of user-supplied input. Exploiting this vulnerability can lead to full code execution on the affected system, granting the attacker the ability to manipulate the database, extract sensitive information, or execute arbitrary commands with the privileges of the application. The vulnerability is classified under CWE-89, which pertains to improper neutralization of special elements used in SQL commands. The CVSS v3.1 base score of 9.8 reflects the high severity, with characteristics including network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the critical nature and ease of exploitation make this a significant threat. The lack of available patches at the time of reporting increases the urgency for mitigation. Delta Electronics DIAEnergy is an energy management software product, often deployed in industrial and critical infrastructure environments, which increases the risk profile of this vulnerability.

For European organizations, the impact of this vulnerability can be severe, especially for those in sectors relying on Delta Electronics DIAEnergy for energy management and industrial control systems. Successful exploitation could lead to unauthorized access to sensitive operational data, disruption of energy management processes, and potential manipulation of industrial control parameters. This could result in operational downtime, financial losses, and compromise of critical infrastructure. The ability to execute arbitrary code remotely without authentication significantly raises the risk of lateral movement within networks and potential deployment of ransomware or other malware. Given the increasing focus on energy security and critical infrastructure protection in Europe, exploitation of this vulnerability could have cascading effects on national energy grids and industrial operations.

European organizations using Delta Electronics DIAEnergy v1.9 should immediately assess their exposure and implement compensating controls. Since no official patches are currently available, organizations should: 1) Restrict network access to the DIAEnergy application, limiting it to trusted internal networks and VPNs only. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the HICT_Loop class. 3) Conduct thorough input validation and sanitization at the application layer if possible, or deploy database-level protections such as parameterized queries or stored procedures if customization is feasible. 4) Monitor logs and network traffic for unusual database queries or signs of exploitation attempts. 5) Engage with Delta Electronics support for updates on patches or mitigations and plan for immediate application once available. 6) Implement network segmentation to isolate critical systems running DIAEnergy from broader enterprise networks to limit potential lateral movement.