OTPulse
FeedAboutContact

Delta Electronics COMMGR

Plan Patch8.6ICS-CERT ICSA-25-240-05Aug 28, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Delta Electronics COMMGR contains stack-based buffer overflow (CWE-121) and code injection (CWE-94) vulnerabilities in versions 2.9.0 and earlier. Successful exploitation could allow an attacker to execute arbitrary code on the affected device.

What this means
What could happen
An attacker could execute arbitrary code on the COMMGR device, potentially allowing them to modify process configurations, interrupt communications between control systems, or gain persistent access to your industrial network.
Who's at risk
Manufacturing and process automation environments using Delta Electronics COMMGR for communication management. This includes automotive, chemical processing, semiconductor, and general industrial facilities that rely on Delta's industrial communication controllers for PLC and HMI coordination.
How it could be exploited
An attacker with network access to the COMMGR device could exploit a stack-based buffer overflow or code injection vulnerability to run arbitrary commands on the device without authentication. This could be achieved through crafted network packets or requests to the COMMGR service port.
Prerequisites
  • Network access to COMMGR device
  • No authentication required
  • Device must be reachable from attacker's network location
remotely exploitableno authentication requiredlow complexityarbitrary code execution
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
COMMGR: <=v2.9.0≤ v2.9.0v2.10.0
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGPlace COMMGR and dependent control systems behind firewall, restrict network access to management/engineering networks only
HARDENINGIf remote access to COMMGR is required, implement secure access methods such as VPN with multi-factor authentication
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Delta Electronics COMMGR to version 2.10.0 or later
Long-term hardening
0/1
HARDENINGSegment control system networks from business network to limit lateral movement if COMMGR is compromised
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ab33a847-409a-46e8-a73b-e12a976dd7c9
Delta Electronics COMMGR | CVSS 8.6 - OTPulse