OTPulse
FeedAboutContact

Delta Electronics CNCSoft

Monitor6.1ICS-CERT ICSA-21-350-02Dec 16, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

CNCSoft contains an out-of-bounds read vulnerability (CWE-125) that could allow an attacker with local access to read sensitive memory or cause an application crash. This vulnerability affects CNCSoft version 1.01.30 and earlier. The vulnerability is not remotely exploitable.

What this means
What could happen
An attacker with local access to a workstation running CNCSoft could read sensitive memory or crash the application, disrupting engineering workstation operations during plant programming or diagnostics.
Who's at risk
Operators and engineers at water utilities, power plants, and other facilities using Delta Electronics CNCSoft for PLC/motion control programming. Risk is primarily to engineering workstations, not to control systems or field devices themselves.
How it could be exploited
An attacker with physical or local network access to an engineering workstation running CNCSoft can exploit an out-of-bounds read vulnerability to access memory beyond allocated buffers or trigger an application crash. This requires user interaction (opening a malicious file or input).
Prerequisites
  • Local access to the workstation running CNCSoft
  • User interaction required (opening a file or processing input)
  • CNCSoft version 1.01.30 or earlier
no authentication requireduser interaction requiredno patch availablelocal exploitation only
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
CNCSoft:≤ 1.01.30No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict physical and network access to engineering workstations running CNCSoft to authorized personnel only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CNCSoft to a version newer than 1.01.30 if a fixed version becomes available from Delta Electronics
Mitigations - no patch available
0/2
CNCSoft: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate engineering workstations from the business network and untrusted networks
HARDENINGDo not allow CNCSoft workstations direct internet access; use air-gapped networks or VPNs with strict access controls if remote engineering is required
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1b988efb-b059-4cc3-bb0c-dc5b034e6193
Delta Electronics CNCSoft | CVSS 6.1 - OTPulse