Delta Electronics DIALink

Plan PatchCVSS 10ICS-CERT ICSA-25-259-07Sep 16, 2025

Delta Electronics

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

DIALink versions v1.6.0.0 and earlier contain a path traversal vulnerability (CWE-22) that allows attackers to bypass authentication and gain unauthorized access to the application. Successful exploitation could allow an attacker to access protected functions, read sensitive data, or modify system configurations without valid credentials.

What this means

What could happen

An attacker could bypass authentication and gain unauthorized access to DIALink, potentially allowing them to read sensitive process data, modify control configurations, or disrupt operational visibility and remote monitoring capabilities for Delta-compatible equipment.

Who's at risk

Any organization using Delta Electronics DIALink v1.6.0.0 or earlier for remote monitoring, configuration, or control of Delta industrial equipment (VFDs, PLCs, inverters, power supplies, or other Delta devices). This affects facilities that rely on DIALink for operational visibility or remote troubleshooting.

How it could be exploited

An attacker with network access to DIALink (likely over HTTP/HTTPS or a local network) can send crafted requests that bypass authentication checks due to the path traversal flaw (CWE-22), gaining direct access to functions that normally require valid credentials.

Prerequisites

Network access to DIALink service (typically port 80/443 or local network)
DIALink version v1.6.0.0 or earlier deployed

remotely exploitableno authentication requiredlow complexitycritical CVSS score (10.0)affects operational technology equipment

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

DIALink: <=V1.6.0.0≤ V1.6.0.0v1.8.0.0+

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to DIALink service to authorized users only using firewall rules; block access from untrusted networks and the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DIALink to v1.8.0.0 or later from the Delta Download Center

Long-term hardening

0/2

HARDENINGIsolate DIALink systems from the business (IT) network; place them behind a firewall on a dedicated OT or management network segment

HARDENINGIf remote access to DIALink is required, enforce VPN or other secure access methods instead of direct Internet exposure

CVEs (2)

CVE-2025-58320 CVE-2025-58321

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5c5a85d5-86bf-443c-bfe1-1d571abf4b81

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.