Delta Electronics CNCSoft-G2 Vulnerability Advisory
Delta Electronics CNCSoft-G2 Vulnerability Advisory π¨
Date Published: March 5, 2026
Delta Electronics CNCSoft-G2 devices prior to version V2.1.0.39 are vulnerable to an Out-of-Bounds Write while parsing DPAX files in the DOPSoft component. This vulnerability is identified as CVE-2026-3094. Successful exploitation could allow an attacker to achieve remote code execution on the device, although this vulnerability is not exploitable remotely.
Critical Information:
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Taiwan
- Relevant CWE: CWE-787 Out-of-bounds Write
This vulnerability was reported to CISA by Natnael Samson (@NattiSamson) of TrendAI Zero Day Initiative. Delta Electronics recommends users update to Version 2.1.0.39, which resolves this vulnerability. The update can be obtained from the Delta Electronics download center: Download Center.
For more information, see the associated Delta Electronics security advisory Delta-PCSA-2026-00004.
Recommendations from CISA:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolate them from business networks.
- When remote access is required, use secure methods such as Virtual Private Networks (VPNs), and ensure they are updated to the most current version available.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.