PatchSiren cyber security CVE debrief
CVE-2024-39880 Delta Electronics CVE debrief
Delta Electronics CNCSoft-G2 contains a stack-based buffer overflow vulnerability due to improper validation of user-supplied data length before copying to a fixed-length buffer. An attacker can exploit this by convincing a target to visit a malicious page or open a malicious file, resulting in arbitrary code execution in the context of the current process. This vulnerability affects CNCSoft-G2 version 2.0.0.5. CISA published the initial advisory on July 9, 2024, with an update on February 18, 2025 that added the fixed version information to the mitigations section. The vulnerability carries a HIGH severity CVSS 3.1 score of 7.8, indicating significant risk to affected industrial control systems.
- Vendor
- Delta Electronics
- Product
- CNCSoft-G2
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2025-02-18
- Advisory published
- 2024-07-09
- Advisory updated
- 2025-02-18
Who should care
Organizations operating Delta Electronics CNCSoft-G2 in manufacturing, industrial automation, and CNC machining environments. Security teams responsible for OT/ICS asset protection and patch management should prioritize this update due to the HIGH severity rating and potential for arbitrary code execution.
Technical summary
CVE-2024-39880 is a stack-based buffer overflow in Delta Electronics CNCSoft-G2 version 2.0.0.5. The vulnerability exists because the application fails to properly validate the length of user-supplied data before copying it to a fixed-length stack-based buffer. Exploitation requires local attack vector with user interaction—specifically, a target must visit a malicious page or open a malicious file. Successful exploitation grants the attacker code execution in the context of the current process. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vendor released version 2.1.0.20 to address this vulnerability.
Defensive priority
high
Recommended defensive actions
- Update Delta Electronics CNCSoft-G2 to version 2.1.0.20 or later as recommended by the vendor
- Review Delta-PCSA-2025-00002 security advisory for additional technical details
- Implement network segmentation to isolate CNCSoft-G2 systems from business networks and the Internet
- Block untrusted Internet links and unsolicited email attachments through security controls
- Use VPN for any required remote access to affected systems
- Apply CISA ICS recommended practices for defense-in-depth security
- Contact Delta Electronics support through their portal for product-related assistance
Evidence notes
CISA CSAF advisory ICSA-24-191-01 provides the authoritative technical description and remediation guidance. The advisory confirms affected product as Delta Electronics CNCSoft-G2 version 2.0.0.5.
Official resources
-
CVE-2024-39880 CVE record
CVE.org
-
CVE-2024-39880 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published initial advisory ICSA-24-191-01 on July 9, 2024. Update A was released on February 18, 2025, adding the fixed version to mitigate CVE-2025-22880.