Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthenticated Remote Database Access)
An unauthenticated remote attacker can access configured databases in a DIAView project.
AnalysisAI
Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.
Technical ContextAI
DIAView is Delta Electronics' SCADA/HMI platform used in industrial automation environments to visualize and manage process data, with backing databases storing project configuration and historical telemetry. CWE-321 (Use of Hard-coded Cryptographic Key) indicates the root cause involves static or embedded cryptographic material that an attacker can derive or reuse to authenticate to the database tier, mirroring the original CVE-2025-62582 weakness. Because the fix for that earlier issue is incomplete, the same trust boundary between unauthenticated network clients and the project database can still be crossed using a variant technique against the affected CPE cpe:2.3:a:delta_electronics:diaview.
RemediationAI
No vendor-released patch identified at time of analysis based on the supplied intelligence; defenders should monitor Delta Electronics' DIAView download portal and any forthcoming ICS-CERT advisory referenced from the Tenable write-up at https://www.tenable.com/security/research/tra-2026-44 and apply the next DIAView release that explicitly cites CVE-2026-9642 as fixed. Until a verified update ships, restrict network reachability to the DIAView database service from non-engineering subnets using host or perimeter firewall rules, place the system behind a jump host with MFA, and disable any DIAView project that does not need external clients connecting to the configured database - these controls add operational friction for legitimate remote engineering access and may break integrations that rely on direct database connectivity, so coordinate with control-system owners before enforcing.
Delta Electronics DIAView has a missing authentication vulnerability that allows remote attackers to access critical fun
Delta Electronics DIAView uses hard-coded cryptographic keys, allowing attackers to forge authentication tokens, decrypt
Delta Electronics DIAView has Command Injection vulnerability. [CVSS 7.8 HIGH]
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31970
GHSA-4v2g-76qr-8gvj