OTPulse
FeedAboutContact

Delta Electronics CNCSoft-G2

Plan Patch7.8ICS-CERT ICSA-26-064-01Mar 5, 2026
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Delta Electronics CNCSoft-G2 contains an out-of-bounds write vulnerability (CWE-787) in its file parsing functionality. Versions prior to 2.1.0.39 are affected. Successful exploitation requires local access to the CNCSoft-G2 workstation and user interaction to open a malicious file, after which an attacker could execute arbitrary code with the privileges of the application. The vulnerability is not remotely exploitable and has not been observed in public exploitation as of this advisory date. Delta Electronics has released version 2.1.0.39 as a fix.

What this means
What could happen
An attacker with local access to a CNCSoft-G2 system could run arbitrary code with full privileges, potentially altering CNC machine parameters, stopping production, or corrupting part programs.
Who's at risk
Manufacturing facilities running Delta Electronics CNCSoft-G2 CNC programming and control software should care about this. It primarily affects the engineering and setup workstations where CNC part programs are created and loaded onto machine tools.
How it could be exploited
An attacker must be present at or have interactive access to the CNCSoft-G2 workstation. The vulnerability is triggered through file parsing when a malicious file is opened or processed. Once exploited, the attacker gains code execution in the context of the CNCSoft-G2 application, allowing control over connected CNC equipment.
Prerequisites
  • Local file system or USB access to the CNCSoft-G2 workstation
  • User interaction required: victim must open or process a malicious file
  • CNCSoft-G2 version prior to 2.1.0.39 must be installed
Out-of-bounds write vulnerabilityLocal access required but can be delivered via fileUser interaction requiredHigh impact if exploitedNo patch available for versions prior to 2.1.0.39
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
CNCSoft-G2: <V2.1.0.39<V2.1.0.392.1.0.39
Remediation & Mitigation
0/5
Do now
0/3
WORKAROUNDDisable automatic file opening or processing features in CNCSoft-G2 where possible
HARDENINGRestrict local user access to CNCSoft-G2 workstations to authorized personnel only
HARDENINGImplement USB port controls or disable USB connectivity on CNCSoft-G2 workstations to prevent unauthorized file introduction
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CNCSoft-G2 to version 2.1.0.39 or later
Long-term hardening
0/1
HARDENINGIsolate CNCSoft-G2 engineering workstations from business networks and the internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/9527b1b0-fe01-4c0c-aad8-b28062b46e39
Delta Electronics CNCSoft-G2 | CVSS 7.8 - OTPulse