Delta Electronics DIAView Vulnerability Advisory

Title: Delta Electronics DIAView
Source: ICS-CERT Advisories
Date Published: January 22, 2026
Excerpt:
“Successful exploitation of this vulnerability could enable an attacker to execute arbitrary code. The vulnerability, identified as CVE-2026-0975, affects Delta Electronics DIAView, specifically version 4.2.0. DIAView functions can execute shell commands within a project script. If an attacker tricks the victim into running a project containing a malicious script, then arbitrary code can be executed when the malicious project starts. This issue is classified as CWE-77, ‘Improper Neutralization of Special Elements used in a Command (‘Command Injection’).”
Critical Infrastructure Sectors, including Chemical, Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater, are identified as being at risk, with deployments worldwide. An anonymous researcher at Trend Zero Day Initiative reported this vulnerability to CISA. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
Delta Electronics recommends users update to DIAView v4.4 or later to remediate the vulnerability. Additionally, Delta Electronics offers users the following general recommendations to mitigate risks:

• Do not click on untrusted Internet links or open unsolicited attachments in emails.
• Avoid exposing control systems and equipment to the Internet.
• Place control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use a secure access method, such as a virtual private network (VPN).

For more details, read the complete article here.