CVE-2026-9642 — Delta Electronics DIAView SCADA: incomplete fix for prior unauthenticated remote database access (CVE-2025-62582) [SINGLE-SOURCE]
From CTI Daily Brief — 2026-05-27 · published 2026-05-27 · view item permalink →
Tenable Research disclosed that the vendor's mitigation for CVE-2025-62582 (unauthenticated remote database access in Delta Electronics DIAView, an HMI/SCADA application) is bypassable: an unauthenticated remote attacker can still reach the databases configured in a DIAView project despite the prior fix (CVSS 3.1 = 9.8) (Tenable Research TRA-2026-44, 2026-05-26). Delta is a major industrial-automation vendor with installations across EU manufacturing and energy OT estates, and Switzerland has a sizeable Delta customer base in precision manufacturing. Because the original CVE-2025-62582 fix is incomplete, organisations that believed they had remediated remain exposed (T1190 Exploit Public-Facing Application against the OT historian/database layer). Treat any DIAView project reachable from IT or internet segments as still vulnerable: confirm a corrected fix directly with Delta rather than assuming the earlier patch closed the path, enforce strict IT/OT segmentation so the historian database tier is unreachable from general networks, and monitor for connections to DIAView database listener ports from non-engineering workstations. Single-source on Tenable Research as of this run; no second independent report located in-window.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-9312 | GitHub Enterprise Server < 3.22 | 9.2 (v4.0) | 0.0% | No | No | 3.16.20 / 3.17.17 / 3.18.11 / 3.19.8 / 3.20.4 / 3.21.1 | ENISA EUVD |
| CVE-2026-9642 | Delta Electronics DIAView SCADA | 9.8 (v3.1) | n/a | No | No | Incomplete (bypass of CVE-2025-62582 fix) | Tenable TRA-2026-44 |