Back to Intelligence

Critical Delta Electronics CNCSoft-G2 Flaw Exposes Industrial Systems to Remote Code Execution

SA
Security Arsenal Team
March 8, 2026
5 min read

In the high-stakes world of Operational Technology (OT), the gap between a routine software update and a catastrophic shutdown can be a single file extension. Today, the Security Arsenal team is analyzing a critical vulnerability affecting Delta Electronics CNCSoft-G2, a widely used software suite in industrial automation.

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution (RCE), potentially granting them the ability to manipulate industrial processes or deploy ransomware across the manufacturing floor.

Vulnerability Deep Dive: CVE-2026-3094

The vulnerability, tracked as CVE-2026-3094, has been assigned a CVSS v3.1 base score of 7.8 (High). While the attack vector is technically Local (AV:L), requiring user interaction, the implications for an industrial environment are severe.

The Technical Mechanics: The flaw resides in the DOPSoft component of CNCSoft-G2. Specifically, the application fails to properly validate input when parsing DPAX files. This leads to an Out-of-Bounds Write (CWE-787) condition.

Why This Matters for OT: In many manufacturing environments, engineers share project files (like DPAX) via email or shared network drives to transfer logic or HMI designs. If an attacker can social-engineer an operator or compromise a shared drive to replace a legitimate DPAX file with a malicious one, they can trigger the vulnerability simply by having the file opened. Once the out-of-bounds write occurs, it can corrupt memory to redirect the execution flow to attacker-controlled shellcode, effectively taking over the engineering workstation.

Affected Products

The vulnerability impacts all versions of Delta Electronics CNCSoft-G2 prior to version V2.1.0.39. Given Delta Electronics' significant footprint in the Critical Manufacturing sector worldwide, the potential attack surface is substantial.

Detection and Threat Hunting

Identifying vulnerable software versions in your environment is the first step. Additionally, monitoring for the processing of suspicious DPAX files can help detect active exploitation attempts.

1. PowerShell: Identify Vulnerable Versions

You can use the following PowerShell script to scan your Windows endpoints for installed versions of CNCSoft-G2 and check if they are vulnerable.

Script / Code
# Check for CNCSoft-G2 installation and version
$regPath = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"

$installedApps = Get-ItemProperty $regPath -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like "*CNCSoft*" -or $_.DisplayName -like "*DOPSoft*" }

if ($installedApps) {
    Write-Host "[+] CNCSoft-G2/DOPSoft installations found:" -ForegroundColor Cyan
    foreach ($app in $installedApps) {
        $version = [version]$app.DisplayVersion
        $targetVersion = [version]"2.1.0.39"
        
        if ($version -lt $targetVersion) {
            Write-Host "[ALERT] Vulnerable Version Detected:" -ForegroundColor Red
            Write-Host "Name: $($app.DisplayName)"
            Write-Host "Version: $($app.DisplayVersion) (< 2.1.0.39)"
            Write-Host "Install Path: $($app.InstallLocation)"
            Write-Host "--------------------------------"
        } else {
            Write-Host "[SAFE] Patched Version: $($app.DisplayName) - $($app.DisplayVersion)" -ForegroundColor Green
        }
    }
} else {
    Write-Host "[-] CNCSoft-G2 not found on this system." -ForegroundColor Gray
}

2. Python: Detect High-Entropy DPAX Files

Since the exploit relies on parsing DPAX files, scanning for high-entropy files (which often indicate embedded shellcode or packed payloads) can be a useful heuristic for threat hunting.

Script / Code
import os
import math


def calculate_entropy(file_path):
    """Calculate the Shannon entropy of a file."""
    try:
        with open(file_path, 'rb') as f:
            data = f.read()
            if not data:
                return 0

            byte_counts = [0] * 256
            for byte in data:
                byte_counts[byte] += 1

            entropy = 0
            for count in byte_counts:
                if count > 0:
                    probability = count / len(data)
                    entropy -= probability * math.log2(probability)

            return entropy
    except Exception as e:
        print(f"Error reading {file_path}: {e}")
        return 0


def scan_dpax_files(directory):
    """Scan a directory for .dpax files and check their entropy."""
    print(f"Scanning directory: {directory}")
    for root, _, files in os.walk(directory):
        for file in files:
            if file.lower().endswith('.dpax'):
                full_path = os.path.join(root, file)
                ent = calculate_entropy(full_path)
                # Normal text/data is usually < 6.0, compressed/encrypted/malicious often > 7.5
                status = "[SUSPICIOUS]" if ent > 7.5 else "[OK]"
                print(f"{status} Entropy: {ent:.4f} | File: {full_path}")


if __name__ == "__main__":
    # Replace with your actual project directory path
    target_dir = "C\\\\Projects\\\\DeltaAutomation"
    if os.path.exists(target_dir):
        scan_dpax_files(target_dir)
    else:
        print("Directory not found. Please update the target_dir variable.")

3. KQL: Monitor for Suspicious CNCSoft Activity

For organizations utilizing Microsoft Sentinel or Defender for Endpoint, the following KQL query helps detect CNCSoft-G2 processes interacting with DPAX files or spawning unexpected child processes (a sign of successful exploitation).

Script / Code
DeviceProcessEvents
| where Timestamp > ago(7d)
// Look for the main vulnerable applications
| where InitiatingProcessFileName in~ ("CNCSoft.exe", "DOPSoft.exe") 
// Filter for interaction with DPAX files or spawning non-standard children
| where ProcessCommandLine has ".dpax" or 
    not(ProcessFileName in~ ("CNCSoft.exe", "DOPSoft.exe", "conhost.exe", "WerFault.exe"))
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, 
          ProcessFileName, FolderPath, AccountName
| order by Timestamp desc

Mitigation Strategy

Delta Electronics has released a patch to address this issue. Security Arsenal recommends the following immediate actions:

  1. Patch Immediately: Update CNCSoft-G2 to Version 2.1.0.39 or later. The update is available via the Delta Electronics Download Center.

  2. Restrict File Extensions: Temporarily block the receipt and execution of .dpax files from external sources via email gateways until all endpoints are patched.

  3. Network Segmentation: Ensure that engineering workstations running CNCSoft-G2 are isolated from the broader business network. As CISA advises, locate control system networks behind firewalls and minimize internet exposure.

  4. Least Privilege: Ensure operators do not have administrative rights on their engineering workstations to limit the potential impact of code execution.

Conclusion

CVE-2026-3094 serves as a stark reminder that the software supply chain in OT environments is a prime target for adversaries. A simple file open operation should not be a gateway to system compromise. By applying the patches above and monitoring for the indicators provided, you can significantly reduce your risk profile.

Stay vigilant.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectionics-securitydelta-electronicscve-2026-3094vulnerability-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action