Critical Delta Electronics CNCSoft-G2 Flaw Exposes Manufacturing Systems to Code Execution

For organizations managing Operational Technology (OT) and Industrial Control Systems (ICS), the line between safety and cyber threats is increasingly blurred. A recent advisory highlights a significant security risk in Delta Electronics CNCSoft-G2, a widely used software suite in the Critical Manufacturing sector. A vulnerability tracked as CVE-2026-3094 allows attackers to achieve remote code execution (RCE), potentially giving them control over critical engineering workstations.

The Vulnerability Deep Dive

At the heart of this issue is an Out-of-Bounds Write (CWE-787) vulnerability. This occurs when software writes data past the intended boundary of a buffer, which can corrupt memory, crash the application, or—most critically here—allow an attacker to execute arbitrary code.

The Mechanics of the Exploit

The vulnerability resides in the DOPSoft component of CNCSoft-G2. Specifically, the software fails to properly validate input when parsing DPAX files.

The Attack Vector: While the CVSS vector scores this as AV:L (Local), meaning the attacker requires some access to the system, the practical risk in an ICS environment is severe. The attack requires user interaction (UI:R), typically achieved by enticing an operator or engineer to open a maliciously crafted DPAX file.

In the context of manufacturing, engineers often transfer project files between air-gapped and non-air-gapped networks via USB or email. If an attacker compromises a business network email account and sends a rigged project file, or plants a malicious file on a USB drive, they could trigger RCE once the file is opened in the CNCSoft-G2 environment. Once code execution is achieved on the engineering workstation, the attacker can pivot to the Programmable Logic Controllers (PLCs) connected to that machine, altering logic or disrupting production.

CVSS Scoring

• Score: 7.8 (High)
• Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• Impact: High (Confidentiality, Integrity, and Availability are all impacted).

Detection and Threat Hunting

As this vulnerability requires a local user action to trigger (opening a file), traditional network IDS/IPS may not catch the initial compromise. Security teams must shift left to endpoint detection and file integrity monitoring.

We have compiled detection logic to help your SOC identify vulnerable versions and suspicious file activity.

1. Identify Vulnerable Software Versions via PowerShell

Use this PowerShell script to scan your engineering workstations for installations of CNCSoft-G2 and check if the version is below the patched V2.1.0.39.

# Check for Delta Electronics CNCSoft-G2 installations and version
$registryPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
    "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
)

$targetName = "CNCSoft-G2"
$vulnerableThreshold = [version]"2.1.0.39"

$installedApps = Get-ItemProperty $registryPaths -ErrorAction SilentlyContinue | 
    Where-Object { $_.DisplayName -like "*$targetName*" }

if ($installedApps) {
    foreach ($app in $installedApps) {
        try {
            $currentVersion = [version]$app.DisplayVersion
            if ($currentVersion -lt $vulnerableThreshold) {
                Write-Host "[VULNERABLE] Host: $env:COMPUTERNAME | App: $($app.DisplayName) | Version: $currentVersion"
            }
            else {
                Write-Host "[PATCHED] Host: $env:COMPUTERNAME | App: $($app.DisplayName) | Version: $currentVersion"
            }
        }
        catch {
            Write-Host "[ERROR] Could not parse version for $($app.DisplayName)"
        }
    }
}
else {
    Write-Host "No instances of CNCSoft-G2 found."
}

2. Hunt for Suspicious DPAX File Activity (KQL)

If you are using Microsoft Sentinel or Defender for Endpoint, you can monitor for unexpected access or creation of .dpax files, particularly if they originate from internet-connected zones or removable media.

// Hunt for DPAX file activity on endpoints where CNCSoft-G2 might be running
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".dpax"
| project Timestamp, DeviceName, ActionType, InitiatingProcessAccountName, 
          InitiatingProcessFileName, FolderPath, SHA256
| where ActionType in ("FileCreated", "FileModified")
| order by Timestamp desc

Mitigation Strategies

Delta Electronics has released a patch that resolves this out-of-bounds write vulnerability. Immediate action is required to protect your manufacturing environment.

1. Patch Immediately

Update **CNCSoft-G2** to **Version 2.1.0.39** or later.

• Download Center: Delta Electronics Download Center
• Advisory Reference: Delta-PCSA-2026-00004

2. Strict Network Segmentation

Per CISA recommendations, ensure your control system networks are isolated from the business network. Engineering workstations should not have unrestricted internet access. If file transfer is necessary, use a secure, mediated jump host with content filtering and sandboxing.

3. Application Whitelisting

Implement application whitelisting (e.g., AppLocker) on engineering workstations to prevent the execution of unauthorized binaries that might be dropped as a second stage of an attack exploiting this vulnerability.

4. User Education

Remind operators and engineers that the "Human Firewall" is the last line of defense against file-based attacks. Instruct them never to open DPAX files from unknown or untrusted sources, especially those received via email.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub