Critical Vulnerabilities in Delta CNCSoft Expose Urgent Security Risks in Industrial Automation

Taipei, Taiwan - Delta Electronics' CNCSoft software, a key utility for integrating industrial automation with human-machine interfaces (HMIs), is facing a critical security crisis. A series of high-severity vulnerabilities have been identified, which, if exploited, could allow attackers to execute arbitrary code, posing a significant threat to critical infrastructure sectors worldwide. The situation is exacerbated by the fact that for some versions of the software, official support and patches have been discontinued, leaving many industrial operators in a precarious position.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories detailing multiple vulnerabilities in different versions of Delta's CNCSoft and CNCSoft-G2 software. These flaws, primarily categorized as out-of-bounds write and buffer overflow vulnerabilities, could be triggered by tricking a user into opening a malicious file.

A Cascade of Vulnerabilities

The core of the issue lies in the software's lack of proper validation of user-supplied data, a flaw that can lead to memory corruption. This opens the door for an attacker to execute malicious code with the same privileges as the current user.

Multiple CVEs (Common Vulnerabilities and Exposures) have been assigned to these issues, highlighting the widespread nature of the problem. For instance, vulnerabilities tracked under CVE-2025-47724 through CVE-2025-47727 affect CNCSoft version 1.01.34 and prior. These have been assigned high CVSS (Common Vulnerability Scoring System) scores, indicating a severe risk with low attack complexity.

Similarly, various versions of the newer CNCSoft-G2 are also riddled with critical flaws, including stack-based buffer overflows, heap-based buffer overflows, and out-of-bounds read vulnerabilities. These vulnerabilities, identified under various CVEs such as CVE-2024-39881, CVE-2024-39882, and CVE-2024-47962, can also lead to arbitrary code execution.

The Peril of Legacy Systems and Supply Chains

The risks associated with these vulnerabilities are magnified by the prevalence of legacy systems in industrial environments. For the A-series CNC products supported by the older CNCSoft, Delta Electronics has stated that it does not plan to release patches as the products have been discontinued. This effectively leaves any organization still using this software without vendor support, shifting the entire burden of security onto the asset owners.

This situation also casts a spotlight on supply chain risks. Many companies outsource the engineering, maintenance, or software support for their industrial control systems. A compromise at a third-party service provider could have a ripple effect, using trusted files or personnel as a vector to introduce malware into a target network. History has shown that attackers actively seek out exposed legacy engineering and HMI software to stage their attacks.

Urgent Mitigation Strategies

Both Delta Electronics and CISA have issued recommendations to mitigate these risks. The primary and most effective mitigation is to update the software to a patched version or migrate to a newer, supported product line.

For CNCSoft-G2, Delta recommends updating to version v2.1.0.20 or later. For the discontinued CNCSoft, the recommendation is to migrate to newer Delta CNC products and their corresponding software as soon as possible.

In addition to specific software updates, a defense-in-depth strategy is strongly advised. General cybersecurity best practices include:

  • Network Segmentation: Isolate industrial control systems and devices from business networks using firewalls.
  • Secure Remote Access: When remote access is necessary, use secure methods such as a Virtual Private Network (VPN).
  • User Awareness: Train users not to click on untrusted internet links or open unsolicited email attachments.
  • Impact Analysis: Organizations should perform a thorough impact analysis and risk assessment before deploying any defensive measures.

For industrial operators, the disclosure of these unpatched vulnerabilities in a widely-used software is a stark reminder of the ever-present cyber threats. Proactive and decisive action is required to reduce the risk of a potentially devastating cyberattack.