CVE-2026-9642 — Delta Electronics DIAView SCADA: incomplete fix for prior unauthenticated remote database access (CVE-2025-62582) [SINGLE-SOURCE]

Tenable Research disclosed that the vendor's mitigation for CVE-2025-62582 (unauthenticated remote database access in Delta Electronics DIAView, an HMI/SCADA application) is bypassable: an unauthenticated remote attacker can still reach the databases configured in a DIAView project despite the prior fix (CVSS 3.1 = 9.8) (Tenable Research TRA-2026-44, 2026-05-26). Delta is a major industrial-automation vendor with installations across EU manufacturing and energy OT estates, and Switzerland has a sizeable Delta customer base in precision manufacturing. Because the original CVE-2025-62582 fix is incomplete, organisations that believed they had remediated remain exposed (T1190 Exploit Public-Facing Application against the OT historian/database layer). Treat any DIAView project reachable from IT or internet segments as still vulnerable: confirm a corrected fix directly with Delta rather than assuming the earlier patch closed the path, enforce strict IT/OT segmentation so the historian database tier is unreachable from general networks, and monitor for connections to DIAView database listener ports from non-engineering workstations. Single-source on Tenable Research as of this run; no second independent report located in-window.

CVE Summary Table