A SQL blind injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint in DIAEnergie 1.7.5 and earlier versions. The vulnerability stems from the application not properly validating the value provided by the user via the parameter agid before using the value as part of a SQL query. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of NT SERVICEMSSQLSERVER.