Skip to main content

Delta Electronics DIAView CVE-2026-9642

| EUVDEUVD-2026-31970 CRITICAL
Use of Hard-coded Cryptographic Key (CWE-321)
2026-05-26 tenable GHSA-4v2g-76qr-8gvj
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 26, 2026 - 21:02 vuln.today

DescriptionCVE.org

There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthenticated Remote Database Access)

An unauthenticated remote attacker can access configured databases in a DIAView project.

AnalysisAI

Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.

Technical ContextAI

DIAView is Delta Electronics' SCADA/HMI platform used in industrial automation environments to visualize and manage process data, with backing databases storing project configuration and historical telemetry. CWE-321 (Use of Hard-coded Cryptographic Key) indicates the root cause involves static or embedded cryptographic material that an attacker can derive or reuse to authenticate to the database tier, mirroring the original CVE-2025-62582 weakness. Because the fix for that earlier issue is incomplete, the same trust boundary between unauthenticated network clients and the project database can still be crossed using a variant technique against the affected CPE cpe:2.3:a:delta_electronics:diaview.

RemediationAI

No vendor-released patch identified at time of analysis based on the supplied intelligence; defenders should monitor Delta Electronics' DIAView download portal and any forthcoming ICS-CERT advisory referenced from the Tenable write-up at https://www.tenable.com/security/research/tra-2026-44 and apply the next DIAView release that explicitly cites CVE-2026-9642 as fixed. Until a verified update ships, restrict network reachability to the DIAView database service from non-engineering subnets using host or perimeter firewall rules, place the system behind a jump host with MFA, and disable any DIAView project that does not need external clients connecting to the configured database - these controls add operational friction for legitimate remote engineering access and may break integrations that rely on direct database connectivity, so coordinate with control-system owners before enforcing.

Share

CVE-2026-9642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy