Delta Electronics ASDA-Soft

Plan PatchCVSS 7.8ICS-CERT ICSA-25-296-04Oct 23, 2025

Delta Electronics

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Delta Electronics ASDA-Soft versions 7.0.2.0 and earlier contain a stack-based buffer overflow vulnerability (CWE-121) that allows an attacker to write data outside of allocated memory buffers. The vulnerability requires local access and user interaction (user must click a link or open an attachment) to trigger. Successful exploitation could lead to code execution with the privileges of the user running the application.

What this means

What could happen

An attacker with local access who tricks a user into opening a malicious file or link could execute arbitrary code on the engineering workstation running ASDA-Soft, potentially allowing modification of motor drive parameters, control logic, or process settings.

Who's at risk

This vulnerability affects organizations using Delta Electronics ASDA-Soft for motor drive configuration and parameter management. It primarily impacts engineering staff and technicians who use ASDA-Soft on workstations connected to or near motor control systems, particularly in manufacturing facilities, water treatment plants, and power distribution systems where Delta variable frequency drives (VFDs) and servo drives are deployed.

How it could be exploited

The attacker must first achieve local access to a system running ASDA-Soft (typically an engineering workstation), then convince or trick a user into clicking a malicious link or opening a crafted attachment. The vulnerability is triggered when the application processes the malicious input, causing a buffer overflow that overwrites memory and allows code execution in the context of the logged-in user.

Prerequisites

Local access to the engineering workstation or machine running ASDA-Soft
User interaction required: user must click a link or open an attachment from an untrusted source
ASDA-Soft version 7.0.2.0 or earlier must be installed

local access requireduser interaction required (social engineering)buffer overflow vulnerabilityno public exploit available yet

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

ASDA-Soft: <=7.0.2.0≤ 7.0.2.07.1.1.0

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict access to engineering workstations running ASDA-Soft to trusted users only; enforce role-based access controls

WORKAROUNDDisable or restrict email attachments on engineering workstations; implement content filtering to block suspicious attachments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ASDA-Soft to version 7.1.1.0 or newer

Long-term hardening

0/2

HARDENINGTrain users not to click links from untrusted sources or open unsolicited email attachments

HARDENINGIsolate engineering workstations from the business network using a dedicated engineering network segment behind a firewall

CVEs (2)

CVE-2025-62579 CVE-2025-62580

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e7c7e9e2-e6ee-4c70-b5eb-236477106d30

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.