Delta Electronics CNCSoft-G2 software contains a critical vulnerability allowing remote code execution on industrial control systems. CISA has issued an emergency alert with CVSS score of 9.8, urging immediate patching.
Delta Electronics CNCSoft-G2, a widely used CNC machine control software, contains a critical vulnerability that enables remote code execution on industrial control systems. The vulnerability, tracked as CVE-2024-XXXX, affects versions prior to 2.0.1 and carries a CVSS v3.1 base score of 9.8 out of 10, indicating severe risk to manufacturing and industrial automation environments.
The vulnerability exists in the software's network communication module, where improper input validation allows attackers to send specially crafted packets that bypass authentication mechanisms. Successful exploitation grants attackers complete control over affected CNC machines, enabling them to modify manufacturing processes, steal intellectual property, or cause physical damage to equipment.
Industrial control systems using CNCSoft-G2 versions 1.x through 2.0.0 are vulnerable. The software is deployed across automotive manufacturing, aerospace component production, and precision machining facilities worldwide. Delta Electronics has released version 2.0.1 to address the vulnerability.
Mitigation requires immediate upgrade to CNCSoft-G2 version 2.0.1 or later. Organizations unable to immediately patch should implement network segmentation, restrict external access to CNC systems, and monitor network traffic for suspicious patterns. The vulnerability can be exploited remotely without authentication, making it particularly dangerous for systems exposed to external networks.
CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by the compliance deadline. The agency warns that active exploitation has been observed in the wild, targeting manufacturing facilities in North America and Europe.
Delta Electronics recommends organizations review their incident response plans and prepare for potential operational disruptions during patching. The company provides detailed upgrade instructions and technical support through its customer portal at delta.com/support.
Organizations should verify their CNCSoft-G2 version by checking the software's "About" dialog or system properties. Version 2.0.1 displays build number 2024.01.15 or later in the interface. Delta Electronics will release additional security updates as part of its ongoing vulnerability management program.
Industrial cybersecurity experts emphasize the importance of air-gapping critical manufacturing systems when possible and implementing defense-in-depth strategies. The vulnerability underscores the growing threat to operational technology environments as attackers increasingly target industrial control systems for both espionage and disruption purposes.
Comments
Please log in or register to join the discussion