Delta Electronics CNCSoft-G2

Plan PatchCVSS 7.8ICS-CERT ICSA-26-064-01Mar 5, 2026

Delta ElectronicsManufacturing

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

CNCSoft-G2 contains an out-of-bounds write vulnerability in its file parsing logic. Exploitation requires a user to open a malicious file using the affected software. Successful exploitation allows arbitrary code execution on the engineering workstation. The vulnerability affects CNCSoft-G2 versions prior to 2.1.0.39. This vulnerability is not remotely exploitable and requires local access or user interaction.

What this means

What could happen

An attacker with access to a system running CNCSoft-G2 could run arbitrary code on that machine, potentially compromising engineering data, process configurations, or the integrity of any manufacturing control systems it manages.

Who's at risk

Manufacturing facilities using Delta Electronics CNCSoft-G2 for CNC machine programming and control system engineering. Impact is limited to the engineering workstations or servers where the software runs; the vulnerability does not directly affect production equipment unless the compromised software is used to upload malicious configurations to the devices it controls.

How it could be exploited

An attacker must have local access to the CNCSoft-G2 software (or trick a user into opening a malicious file). The vulnerability is triggered by parsing a specially crafted file, which causes an out-of-bounds write that allows code execution on the engineering workstation or server where CNCSoft-G2 is installed.

Prerequisites

Local access to the CNCSoft-G2 application or ability to deliver a malicious file to a user running the software
User action required: the user must open or import a crafted file using CNCSoft-G2

out-of-bounds write (CWE-787) leading to code executionrequires user interaction (opening a file)no patch available at time of advisory release (patch released later)could compromise engineering integrity of manufacturing systems

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

CNCSoft-G2: <V2.1.0.39<V2.1.0.392.1.0.39

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement file validation and restrict file imports in CNCSoft-G2 to trusted sources only until the patch can be deployed

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CNCSoft-G2 to version 2.1.0.39 or later using the Delta Electronics download center

Long-term hardening

0/2

HARDENINGEnsure CNCSoft-G2 engineering workstations are not accessible from the internet and are isolated on a dedicated engineering network

HARDENINGTrain users not to open unsolicited files or email attachments, especially those claiming to be CNCSoft-G2 project files

CVEs (1)

CVE-2026-3094

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9527b1b0-fe01-4c0c-aad8-b28062b46e39

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.