CVE-2026-3094: Delta CNCSoft-G2 Out-of-bounds Write RCE

Critical Out-of-bounds Write Threatens Delta Electronics CNCSoft-G2 in Critical Manufacturing

Delta Electronics CNCSoft-G2, a key software suite used in critical manufacturing environments globally, contains a significant out-of-bounds write vulnerability, identified as CVE-2026-3094. Successful exploitation of this flaw could enable an attacker to achieve RCE on affected devices, posing a serious risk to industrial control systems (ICS). While the vulnerability requires local access and user interaction for exploitation, its potential impact on critical infrastructure demands immediate attention from security professionals. According to CISA ICSA-26-064-01, the issue stems from improper handling of DPAX files within the DOPSoft component.

Technical Analysis of CVE-2026-3094

The vulnerability, a CWE-787 Out-of-bounds Write, affects Delta Electronics CNCSoft-G2 versions prior to V2.1.0.39. This flaw occurs during the parsing of specially crafted DPAX files within the DOPSoft component of CNCSoft-G2. An out-of-bounds write condition typically allows an attacker to write data outside of an intended memory buffer, which can lead to various consequences, from application crashes (denial of service) to the execution of arbitrary code.

The CVSS v3.1 base score for CVE-2026-3094 is 7.8, categorized as HIGH severity. The vector string, CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicates that the attack vector (AV) is local, meaning an attacker would need to have local access to the system. Additionally, user interaction (UI:R) is required, implying that a user would need to be tricked into performing an action, such as opening a malicious DPAX file. Despite these conditions, the potential for high confidentiality (C:H), integrity (I:H), and availability (A:H) impacts underscore the severity, as a successful RCE could give an attacker full control over the compromised system.

Natnael Samson (@NattiSamson) of TrendAI Zero Day Initiative reported this vulnerability to CISA. Currently, no public exploitation specifically targeting this vulnerability has been reported to CISA, but this does not diminish the need for proactive defense, particularly in critical infrastructure sectors like Critical Manufacturing, where operational continuity is paramount.

Prioritizing Delta Electronics CNCSoft-G2 V2.1.0.39 Update and Mitigation Steps

Given the potential for RCE and the deployment of CNCSoft-G2 in critical manufacturing operations worldwide, organizations must prioritize the recommended remediation and implement robust mitigation strategies. Even though the attack requires local access and user interaction, threat actors frequently leverage social engineering tactics or gain initial footholds through other vulnerabilities to stage such attacks. The following recommendations provide comprehensive guidance for addressing CVE-2026-3094 mitigation steps.

Immediate Remediation

• Software Update: The most critical step is to update Delta Electronics CNCSoft-G2 to Version 2.1.0.39 or later. This version, available from the Delta Electronics download center, directly resolves the out-of-bounds write vulnerability. Organizations should reference Delta Electronics’ security advisory Delta-PCSA-2026-00004 for additional information.

Broader Mitigation Strategies

To enhance overall security posture and protect against this and similar TTPs, CISA recommends the following defensive measures:

• Network Segmentation: Minimize network exposure for all control system devices and systems. Ensure they are not directly accessible from the internet. Isolate control system networks and remote devices behind firewalls, separating them from corporate or business networks.
• Secure Remote Access: When remote access is necessary for ICS components, utilize secure methods such as Virtual Private Networks (VPNs). It is crucial to ensure VPNs are updated to the most current version and that their security is not undermined by connected devices.
• Defense-in-Depth: Implement a multi-layered security approach. This includes strong access controls, network intrusion detection systems, and regular security audits of ICS environments. Performing proper impact analysis and risk assessment before deploying new defensive measures is also vital.
• User Awareness Training: Educate personnel on recognizing and avoiding social engineering and Phishing attacks. Users should be instructed not to open unsolicited email attachments or click suspicious web links, as these can be vectors for delivering malicious files like the specially crafted DPAX files required for this exploitation.
• Proactive Monitoring and Reporting: Organizations should establish procedures for observing and reporting suspected malicious activity. This includes monitoring for unusual file access, system crashes, or unexpected network traffic. Report findings to CISA for tracking and correlation against other incidents.