Delta Electronics COMMGR (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-25-105-07Apr 15, 2025

Delta Electronics

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

COMMGR contains a weakness (CWE-338) that allows remote attackers to execute arbitrary code on the AS3000Simulator family when exploited. COMMGR Version 1 has reached end-of-life with no patch planned. Delta Electronics has released v2.10.0 to address the vulnerability in Version 2 and earlier v2.x releases. Organizations must either upgrade to v2.10.0 or implement strict network isolation for Version 1 systems.

What this means

What could happen

An attacker with network access to COMMGR could execute arbitrary code on the software, potentially allowing manipulation of the AS3000Simulator or connected industrial processes. Users of the end-of-life Version 1 have no patch available and must rely on network isolation.

Who's at risk

Organizations using Delta Electronics COMMGR software for configuration and monitoring of AS3000Simulator devices and connected industrial control systems, particularly those running Version 1 (end-of-life) with no available patch or Version 2 prior to v2.10.0.

How it could be exploited

An attacker sends a specially crafted network request to an exposed COMMGR instance. The software processes the request without proper validation and executes arbitrary code. If COMMGR is used to configure or monitor industrial equipment, the attacker gains control over that equipment's configuration or operation.

Prerequisites

Network access to COMMGR software port (details not specified in advisory)
COMMGR instance exposed on network accessible to attacker

remotely exploitableno authentication requiredlow complexityno patch available for Version 1critical CVSS score (9.8)

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

COMMGR (Version 1): vers:all/*All versionsNo fix (EOL)

COMMGR (Version 2): <=v2.9.0≤ v2.9.0v2.10.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to COMMGR to authorized workstations only; do not expose to the Internet

WORKAROUNDIf remote access to COMMGR is required, route all connections through a Virtual Private Network (VPN)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

COMMGR (Version 2): <=v2.9.0

HOTFIXUpgrade COMMGR Version 2 to v2.10.0 or later

COMMGR (Version 1): vers:all/*

HOTFIXDiscontinue use of COMMGR Version 1; migrate to Version 2 and apply the patch to v2.10.0

Mitigations - no patch available

0/1

COMMGR (Version 1): vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate COMMGR on a separate network segment from the business network and the Internet

CVEs (1)

CVE-2025-3495

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/248825a9-b835-4a9b-ba35-78d17c48717e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.