A newly discovered critical vulnerability in Delta Electronics' CNCSoft-G2 software poses severe risks to industrial control systems running on Windows platforms. Tracked as CVE-2025-22881, this heap-based buffer overflow vulnerability has received a CVSS score of 9.8 (Critical) and could allow remote attackers to execute arbitrary code on affected systems without authentication. Industrial organizations using this computer numerical control (CNC) programming software must take immediate action to mitigate potential operational technology (OT) network compromises.

Understanding the CNCSoft-G2 Vulnerability

The vulnerability exists in the file parsing component of CNCSoft-G2 versions prior to 2.1.2.4. When processing specially crafted project files (.mpj), the software fails to properly validate input data, leading to a heap corruption scenario. Security researchers at Industrial Defender discovered that:

  • The overflow occurs during memory allocation for project metadata
  • No bounds checking is performed on user-supplied parameters
  • The corrupted memory space can be manipulated to redirect program execution

Technical Impact: Successful exploitation could grant attackers the same privileges as the application (typically SYSTEM-level access on Windows systems). This creates a gateway for:

  • Complete system takeover
  • Lateral movement across OT networks
  • Manipulation of CNC machine operations
  • Data exfiltration from isolated networks

Affected Software Versions

The vulnerability impacts all CNCSoft-G2 releases before the patched version 2.1.2.4. Delta Electronics has confirmed these vulnerable distributions:

  • CNCSoft-G2 v2.0.0.0 through v2.1.2.3
  • All localized language versions
  • Both 32-bit and 64-bit Windows installations

Supported Windows Platforms:
- Windows 7 (End-of-Life systems at particular risk)
- Windows 10
- Windows 11
- Windows Server 2012 R2 through 2022

Exploit Potential and Attack Vectors

Security analysts have identified multiple potential attack scenarios:

  1. Direct File Execution:
    - Attacker sends malicious .mpj file via email/social engineering
    - User opens file in vulnerable CNCSoft-G2 version
    - Payload executes without additional interaction

  2. Network-Based Attacks:
    - Compromise of file shares containing project files
    - MITM attacks on software update mechanisms
    - Exploitation through connected HMI systems

  3. Supply Chain Compromise:
    - Injection of malicious code into legitimate project files
    - Distribution through vendor portals or third-party repositories

"This is particularly concerning for air-gapped systems," notes ICS security expert Dr. Elena Petrov. "The vulnerability could bridge air gaps if infected files are introduced via removable media or maintenance laptops."

Mitigation and Patching Strategies

Delta Electronics released an emergency update (v2.1.2.4) addressing CVE-2025-22881. Organizations should:

Immediate Actions:
- Download and install the patched version from Delta's official portal
- Disconnect vulnerable systems from networks until patched
- Audit all project files received in the last 90 days

Compensating Controls:
1. Implement application whitelisting to block unauthorized executables
2. Configure Windows Defender Application Control (WDAC) policies
3. Segment OT networks to limit lateral movement
4. Monitor for abnormal CNCSoft-G2 process behavior

Windows-Specific Protections:
- Enable Control Flow Guard (CFG) in compatible Windows versions
- Configure Exploit Protection for CNCSoft-G2.exe
- Apply strict ASLR policies through Group Policy

Long-Term Security Recommendations

Beyond immediate patching, industrial organizations should:

  • Enhance Monitoring: Deploy EDR solutions capable of detecting memory corruption attempts
  • Update Policies: Restrict .mpj file handling to patched systems only
  • Staff Training: Educate engineers on secure file handling practices
  • Vulnerability Management: Establish regular ICS software assessment processes

The Bigger Picture: OT Security Challenges

This incident highlights critical issues in industrial software security:

  • Legacy Code Risks: Many ICS applications contain decades-old vulnerable code
  • Patch Lag: OT environments often delay updates due to uptime requirements
  • Windows Dependencies: Industrial software frequently relies on deprecated Windows features

Microsoft's Response: While not directly responsible for third-party software, Microsoft has:

  • Updated Defender ATP to detect exploitation attempts
  • Published guidance for hardening Windows in ICS environments
  • Added CVE-2025-22881 to its vulnerability database

Verification and Testing

Organizations can verify their patch status by:

  1. Checking Help > About in CNCSoft-G2
  2. Validating the file version of CNCSoft-G2.exe:
    - Patched: 2.1.2.4 (File version 2.1.2.4)
    - Vulnerable: Any lower version number

Security teams should test the patch in non-production environments before widespread deployment, particularly checking:

  • Compatibility with existing project files
  • Interaction with other industrial software
  • Performance impact on time-sensitive operations

Future Outlook

This vulnerability will likely prompt:

  • Increased scrutiny of CNC software security
  • Tighter integration between Windows security features and OT applications
  • More rigorous certification requirements for industrial software

As attackers increasingly target operational technology, the window for patching critical vulnerabilities continues to shrink. This incident serves as a stark reminder that even specialized industrial software running on Windows requires vigilant security management.