Delta Electronics COMMGR (Update A)

Act Now9.8ICS-CERT ICSA-25-105-07Apr 15, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

This vulnerability in Delta Electronics COMMGR software allows remote, unauthenticated arbitrary code execution on the AS3000Simulator family via a weakness in random number generation (CWE-338). COMMGR Version 1 has reached end of life with no fix available. Delta Electronics has released COMMGR v2.10.0 to address this issue for Version 2. Exploitation could compromise the integrity of simulation and control system engineering activities.

What this means

What could happen

An attacker could remotely execute arbitrary code on the AS3000Simulator family simulated via COMMGR, potentially allowing them to manipulate simulated process behavior or disrupt control system engineering and testing activities.

Who's at risk

Operators of Delta Electronics COMMGR software (engineering/configuration tool for AS3000Simulator) should be aware: Version 1 is end-of-life with no fix planned; Version 2 users running v2.9.0 or earlier are at risk if the software is exposed to unauthorized network access.

How it could be exploited

An attacker on the network reaches the COMMGR software (Version 1 or Version 2 ≤2.9.0) without authentication and exploits the weakness in random number generation (CWE-338) to execute arbitrary code on the AS3000Simulator simulation environment.

Prerequisites

Network access to COMMGR software interface
No authentication required
COMMGR Version 1 (all versions) or Version 2 up to v2.9.0

Remotely exploitableNo authentication requiredLow complexityCritical severity (CVSS 9.8)Affects engineering/simulation software (indirect impact to operations)

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

COMMGR (Version 1): vers:all/*All versionsNo fix (EOL)

COMMGR (Version 2): <=v2.9.0≤ v2.9.0v2.10.0

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to COMMGR software using firewall rules to allow connections only from authorized engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

COMMGR (Version 2): <=v2.9.0

HOTFIXUpgrade COMMGR Version 2 to v2.10.0 or later

COMMGR (Version 1): vers:all/*

HOTFIXFor COMMGR Version 1 (EOL), migrate to COMMGR Version 2 v2.10.0

Mitigations - no patch available

0/2

COMMGR (Version 1): vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate COMMGR software and engineering networks from the Internet and business network

HARDENINGUse VPN for any remote access to COMMGR software

CVEs (1)

CVE-2025-3495

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/248825a9-b835-4a9b-ba35-78d17c48717e