A SQL blind injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint in DIAEnergie 1.7.5 and earlier versions. The vulnerability stems from the application not properly validating the value provided by the user via the parameter keyword before using the value as part of a SQL query. A remote unauthenticated attacker could use this vulnerability to execute arbitrary code in the context of NT SERVICEMSSQLSERVER.