Delta Electronics DOPSoft

Plan Patch7.8ICS-CERT ICSA-21-005-05Jan 5, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

DOPSoft versions 4.0.8.21 and earlier contain buffer overflow and out-of-bounds write vulnerabilities (CWE-787, CWE-822) that could allow arbitrary code execution. The vulnerabilities are triggered by opening malicious project files (*.dpa). Exploitation requires local file interaction and user action to open a crafted file.

What this means

What could happen

An attacker could execute arbitrary code on the engineering workstation running DOPSoft, potentially gaining the ability to modify or create malicious HMI/PLC project files that could alter process control logic or equipment behavior when deployed to production systems.

Who's at risk

Engineering teams and plant engineers who use Delta Electronics DOPSoft for HMI/PLC programming. This affects sites that operate Delta PLC/HMI equipment in water treatment, wastewater, power generation, manufacturing, and other process industries where DOPSoft is the standard engineering tool.

How it could be exploited

An attacker crafts a malicious DOPSoft project file (.dpa) with oversized data that triggers a buffer overflow. The file is delivered to an engineer (via email, USB, or file share). When the engineer opens the file in vulnerable DOPSoft, the overflow executes attacker code on the workstation. This compromised workstation could then be used to inject malicious logic into legitimate control projects.

Prerequisites

DOPSoft version 4.0.8.21 or earlier installed on an engineering workstation
User action required: engineer must open a malicious .dpa file with the vulnerable application
Local file access or ability to deliver file to engineering staff (no remote exploitation)

low complexity - user only needs to open a filerequires user interaction - file must be opened manuallyaffects engineering workstations and control system developmentno public exploits known but vulnerability is well-documented

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

DOPSoft:≤ 4.0.8.21v4.00.10.17 or higher

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGConfigure file association restrictions to prevent automatic opening of .dpa files from untrusted sources; require manual selection of trusted project files only

HARDENINGEducate engineering staff not to open DOPSoft project files from untrusted sources (email, external USB, unknown file shares)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DOPSoft to version 4.00.10.17 or higher on all engineering workstations

WORKAROUNDFor legacy project files created in older DOPSoft versions: open in v4.00.10.17 or higher, then re-save as new .dpa files and discard the old ones to eliminate potentially malicious file structures

Long-term hardening

0/1

HARDENINGIsolate engineering workstations from the business network to limit lateral movement if a workstation is compromised

CVEs (2)

CVE-2020-27275 CVE-2020-27277

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46aa89f7-123e-4a0c-b7ca-c3cf3824e046