ctipilot.ch

Home · Live brief · Daily brief 2026-05-27

CVE-2026-9642 — Delta Electronics DIAView SCADA: incomplete fix for prior unauthenticated remote database access (CVE-2025-62582)

notable vulnerability discovered 2026-05-27 05:00 UTC single-source

Part of run 2026-05-27-0b6f12dd (intel · Claude Opus 4.7)

Tenable Research disclosed that the vendor's mitigation for CVE-2025-62582 (unauthenticated remote database access in Delta Electronics DIAView, an HMI/SCADA application) is bypassable: an unauthenticated remote attacker can still reach the databases configured in a DIAView project despite the prior fix (CVSS 3.1 = 9.8) (Tenable Research TRA-2026-44, 2026-05-26). Delta is a major industrial-automation vendor with installations across EU manufacturing and energy OT estates, and Switzerland has a sizeable Delta customer base in precision manufacturing. Because the original CVE-2025-62582 fix is incomplete, organisations that believed they had remediated remain exposed (T1190 Exploit Public-Facing Application against the OT historian/database layer). Treat any DIAView project reachable from IT or internet segments as still vulnerable: confirm a corrected fix directly with Delta rather than assuming the earlier patch closed the path, enforce strict IT/OT segmentation so the historian database tier is unreachable from general networks, and monitor for connections to DIAView database listener ports from non-engineering workstations. Single-source on Tenable Research as of this run; no second independent report located in-window.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-9312 GitHub Enterprise Server < 3.22 9.2 (v4.0) 0.0% No No 3.16.20 / 3.17.17 / 3.18.11 / 3.19.8 / 3.20.4 / 3.21.1 ENISA EUVD
CVE-2026-9642 Delta Electronics DIAView SCADA 9.8 (v3.1) n/a No No Incomplete (bypass of CVE-2025-62582 fix) Tenable TRA-2026-44

Action items

  • Re-verify Delta Electronics DIAView remediation (CVE-2026-9642) — the prior CVE-2025-62582 fix is bypassable; confirm a corrected patch with Delta rather than assuming the earlier fix held, and ensure no DIAView historian/database tier is reachable from IT or internet segments.
vulnerabilities ot-ics pre-auth info-disclosure no-patch global CVE-2026-9642