Delta Electronics CNCSoft-G2 DPAX File Parsing Out-of-Bounds Write RCE
Delta Electronics CNCSoft-G2 contains an out-of-bounds write vulnerability in the DOPSoft component’s DPAX file parsing that can lead to remote code execution in the context of the current process. The issue is tracked as CVE-2026-3094 (ZDI-CAN-28415 / ZDI-26-151) and is rated CVSS 7.8 (High) with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H; exploitation requires user interaction (e.g., opening a malicious file or visiting a malicious page that triggers processing of attacker-controlled content). Affected versions are CNCSoft-G2 prior to V2.1.0.39 (CWE-787), and Delta Electronics has issued an update to remediate the flaw.
CISA’s ICS advisory highlights the potential impact to critical manufacturing environments and recommends standard OT hardening measures, including minimizing network exposure of control system assets, placing devices behind firewalls and isolating OT from business networks, and using more secure remote access methods (e.g., VPNs) when remote connectivity is required. Separately, CISA also added Hikvision CVE-2017-7921 and Rockwell Automation CVE-2021-22681 (both CVSS 9.8) to the Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation; this KEV action is unrelated to the Delta Electronics CNCSoft-G2 disclosure and represents a different set of exploited product vulnerabilities requiring separate remediation prioritization.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Delta update and public disclosure of CVE-2026-3094
Zero Day Initiative publicly disclosed CVE-2026-3094 / ZDI-26-151, an out-of-bounds write in the DOPSoft module of Delta Electronics CNCSoft-G2. ZDI said Delta Electronics had released an update to remediate the issue.
CISA publishes ICS advisory for Delta CNCSoft-G2 vulnerability
CISA published advisory ICSA-26-064-01 describing a high-severity out-of-bounds write vulnerability in Delta Electronics CNCSoft-G2 versions prior to V2.1.0.39. CISA said the issue was not remotely exploitable and that no known public exploitation had been reported at the time of publication.
Researcher reports Delta CNCSoft-G2 flaw to vendor
Natnael Samson (@NattiSamson) reported an out-of-bounds write vulnerability in Delta Electronics CNCSoft-G2 to the vendor through the Zero Day Initiative. The flaw affects the DOPSoft component when parsing DPAX files and can lead to code execution with user interaction.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Delta Electronics DIAScreen Vulnerabilities Allow Out-of-Bounds Write Exploits
CISA released an advisory detailing two out-of-bounds write vulnerabilities in Delta Electronics DIAScreen, a product used in industrial control systems. The affected product versions include DIAScreen version 1.6.0 and prior. These vulnerabilities, identified as CVE-2025-59297 and CVE-2025-59298, can be exploited when a valid user opens a maliciously crafted project file, allowing an attacker to write data outside the allocated memory buffer. Both vulnerabilities are rated with a CVSS v3.1 base score of 6.6 and a CVSS v4 base score of 6.8, indicating a medium severity level. The attack complexity is considered low, and exploitation does not require privileges, but user interaction is necessary. Successful exploitation could result in loss of confidentiality, integrity, and availability, with a particular risk of denial-of-service or potential code execution. CISA's advisory provides technical details about the vulnerabilities and recommends mitigations to reduce risk. Administrators and users are encouraged to review the advisory and apply the recommended security measures. The vulnerabilities highlight the ongoing risks associated with file parsing in industrial control system software. Delta Electronics is a major vendor in the ICS sector, and vulnerabilities in its products can have significant operational impacts. The advisories were released on October 7, 2025, as part of CISA's ongoing efforts to inform the ICS community about emerging threats. The technical details specify that the vulnerabilities are triggered by opening malicious project files, emphasizing the importance of user awareness and safe file handling practices. The advisory does not mention active exploitation in the wild at the time of publication. CISA's notification is part of a broader set of ICS advisories released on the same date, but the DIAScreen vulnerabilities are specifically addressed in their own advisory. The disclosure underscores the need for timely patching and adherence to vendor guidance in industrial environments. Organizations using DIAScreen should assess their exposure and implement mitigations as soon as possible. The vulnerabilities are tracked under the Common Weakness Enumeration (CWE) identifier CWE-787, which relates to out-of-bounds write issues. The advisory also provides links to further technical resources and encourages feedback from the ICS community.
Mar 21, 2026
CISA ICS Advisories for Delta Electronics ASDA-Soft and Honeywell CCTV Vulnerabilities
CISA published ICS advisories detailing vulnerabilities in **Delta Electronics ASDA-Soft** and **Honeywell CCTV products**. Delta Electronics *ASDA-Soft* (versions `<= 7.2.0.0`) contains a **stack-based buffer overflow** (CWE-121) triggered when parsing `.par` files due to improper validation of a user-controlled size parameter, which can enable out-of-bounds writes and corruption of the structured exception handler (**CVE-2026-1361**, CVSS v3.1 **7.8 High**, `CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`). Honeywell CCTV devices are affected by **missing authentication for a critical function** (CWE-306) where an unauthenticated API endpoint can allow an attacker to change the “forgot password” recovery email address, enabling **account takeover** and unauthorized access to camera feeds (**CVE-2026-1670**, CVSS v3.1 **9.8 Critical**, `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`). A separate report described a different CISA ICS advisory for **Airleader Master** involving an **unrestricted file upload** that could allow unauthenticated **remote code execution** (**CVE-2026-1358**, CVSS **9.8**), affecting versions up to `6.381`; it noted no known public exploits at the time and recommended exposure reduction measures such as restricting internet access and segmenting ICS networks. This Airleader issue is not part of the same disclosure as the Delta Electronics and Honeywell advisories, which cover distinct products and CVEs released under different advisory identifiers.
Mar 21, 2026
Delta Electronics AS320T Flaws Expose Devices to Remote Buffer Overflow Attacks
Delta Electronics **AS320T** devices were disclosed with multiple high-severity memory-handling vulnerabilities in the product's web service, including **CVE-2026-1949** and **CVE-2026-1951**. The flaws affect request processing in the device's **GET/PUT handler** and directory-name buffer handling, where incorrect stack buffer size calculation and missing length checks can lead to buffer overflow conditions. Both issues are rated with **CVSS v3.1** vectors indicating **network-exploitable attacks requiring no privileges or user interaction** and carrying high impact to confidentiality, integrity, and availability. Vendor documentation from Delta Electronics links the disclosures to additional related issues, including **CVE-2026-1950** and **CVE-2026-1952**, suggesting a broader set of web-service weaknesses in the AS320T platform. Separately, **CVE-2026-6356** was published for an unrelated web application flaw that allows a standard user to escalate privileges to **super administrator** through parameter manipulation, enabling unauthorized access to and modification of sensitive information.
Apr 24, 2026