OTPulse
FeedAboutContact

Delta Electronics CNCSoft-G2

Plan Patch7.8ICS-CERT ICSA-25-240-04Aug 28, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

CNCSoft-G2 versions 2.1.0.20 and earlier contain an out-of-bounds write vulnerability (CWE-787) that could allow an attacker with local access to execute arbitrary code on affected installations. The vulnerability requires user interaction, such as opening a malicious file. Delta Electronics recommends updating to version 2.1.0.27 or later. No known public exploitation has been reported.

What this means
What could happen
An attacker with local access to a machine running CNCSoft-G2 could execute arbitrary code and take full control of the system, potentially disrupting CNC machining operations or causing equipment damage if the software controls critical processes.
Who's at risk
Manufacturing facilities and machine shops using Delta Electronics CNCSoft-G2 CNC software should care about this vulnerability. It affects any organization using this software for controlling CNC machines or similar equipment, particularly where workstations may be at risk of receiving untrusted files via email or removable media.
How it could be exploited
An attacker must have local access to a machine running CNCSoft-G2 and trick a user into opening a malicious file (e.g., via email attachment or USB drive). Once the user opens the file, the attacker's code runs with the same privileges as the user, allowing arbitrary code execution on the system.
Prerequisites
  • Local access to a workstation running CNCSoft-G2
  • User interaction required - victim must open a malicious file
  • No special privileges or credentials needed
Local access required (not remotely exploitable)User interaction requiredNo patch available from vendor yetLow complexity attackCNC software controls physical machinery
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
CNCSoft-G2: <=2.1.0.20≤ 2.1.0.202.1.0.27
Remediation & Mitigation
0/5
Do now
0/3
WORKAROUNDDisable or restrict email attachments and block execution of untrusted files on engineering workstations
HARDENINGRestrict physical and logical access to machines running CNCSoft-G2 to authorized personnel only
HARDENINGIsolate CNCSoft-G2 workstations from the business network using a firewall or air-gap
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CNCSoft-G2 to version 2.1.0.27 or later
Long-term hardening
0/1
HARDENINGTrain operators and engineers to avoid clicking untrusted links and opening unsolicited file attachments
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/92738b6a-7d68-4749-8f3b-96840425e996
Delta Electronics CNCSoft-G2 | CVSS 7.8 - OTPulse