CVE-2021-38406 Delta Electronics CVE debrief

Who should care

Industrial control system and OT teams, plant operators, asset owners, and security teams responsible for Delta Electronics DOPSoft 2 deployments—especially where the software is still in use on end-of-life systems.

Technical summary

The supplied corpus identifies the issue as an improper input validation vulnerability in Delta Electronics DOPSoft 2. CISA added CVE-2021-38406 to the Known Exploited Vulnerabilities catalog on 2022-08-25, with a due date of 2022-09-15. The corpus does not provide affected-version granularity or a CVSS score, but CISA’s required action states that the impacted product is end-of-life and should be disconnected if still in use.

Defensive priority

High. CISA KEV inclusion makes this an urgent remediation item, and the supplied guidance specifically calls for disconnecting the end-of-life product if it remains deployed.

Recommended defensive actions

• Inventory where Delta Electronics DOPSoft 2 is installed or otherwise in use.
• If the product is still in use, disconnect it as CISA directs for the end-of-life impacted product.
• Plan replacement or decommissioning rather than continued operation.
• Restrict network access to any remaining instances and minimize reachable attack surface.
• Review the linked CISA KEV and NVD records for the latest official status and any additional vendor or advisory guidance.

Evidence notes

CISA’s KEV feed entry for CVE-2021-38406 names the vulnerability as “Delta Electronics DOPSoft 2 Improper Input Validation Vulnerability,” lists Delta Electronics as the vendor project and DOPSoft 2 as the product, and records dateAdded 2022-08-25 with dueDate 2022-09-15. The supplied notes explicitly state: “The impacted product is end-of-life and should be disconnected if still in use.” The corpus also links to the official CVE record and NVD detail page. No CVSS score or affected-version details were supplied.

Official resources