Delta Electronics CNCSoft-G2

Plan Patch7.8ICS-CERT ICSA-24-284-21Oct 10, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Delta Electronics CNCSoft-G2 versions 2.1.0.10 and earlier contain multiple memory safety vulnerabilities (CWE-121, CWE-787, CWE-122, CWE-125, CWE-457) that allow local code execution. The vulnerabilities are exploitable only with local access and require user interaction, such as opening a malicious email attachment. Successful exploitation could allow an attacker to execute code with the privileges of the logged-in user, potentially compromising CNC programs and machining data.

What this means

What could happen

An attacker with local access to a machine running CNCSoft-G2 could execute arbitrary code with high privileges, potentially compromising CNC programming, data, and system integrity.

Who's at risk

Manufacturing and machining facilities using Delta Electronics CNCSoft-G2 for CNC machine programming and control. This affects engineering workstations where CNC program development and modification occurs.

How it could be exploited

An attacker must have local access to the machine running CNCSoft-G2 and trick a user into opening a malicious file or email attachment. Upon execution, the attacker gains code execution at the privilege level of the logged-in user, which could allow modification of CNC programs or theft of machining data.

Prerequisites

Local access to the machine running CNCSoft-G2
User interaction required (victim must open malicious attachment or file)
CNCSoft-G2 version 2.1.0.10 or earlier must be installed

Local access requiredLow attack complexityUser interaction requiredHigh impact on code integrity and confidentialityAffects CNC programming and control software

Exploitability

Moderate exploit probability (EPSS 2.0%)

Affected products (1)

ProductAffected VersionsFix Status

CNCSoft-G2: 2.1.0.102.1.0.102.1.0.16 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDTrain users not to open attachments or click links in unsolicited emails

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CNCSoft-G2 to version 2.1.0.16 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate engineering and CNC programming workstations from general office networks

HARDENINGRestrict local access to CNCSoft-G2 machines to authorized personnel only

CVEs (5)

CVE-2024-47962 CVE-2024-47963 CVE-2024-47964 CVE-2024-47965 CVE-2024-47966

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/733bb482-31f3-4a37-b7fe-8ade587844dd