CVE-2024-39881 Delta Electronics CVE debrief

Who should care

Organizations operating Delta Electronics CNCSoft-G2 in manufacturing, machining, or industrial automation environments. Security teams responsible for OT/ICS asset protection and patch management. Engineers and operators using CNCSoft-G2 for machine control and programming.

Technical summary

CVE-2024-39881 is a memory corruption vulnerability in Delta Electronics CNCSoft-G2 version 2.0.0.5 caused by insufficient validation of user-supplied data. The vulnerability can be triggered when a user opens a malicious file or visits a malicious web page, allowing an attacker to execute arbitrary code in the context of the current process. The CVSS 3.1 score is 7.8 (HIGH), indicating significant impact to confidentiality, integrity, and availability. Delta Electronics has released version 2.1.0.20 to remediate this vulnerability.

Defensive priority

HIGH

Recommended defensive actions

• Update Delta Electronics CNCSoft-G2 to version 2.1.0.20 or later as soon as possible.
• Apply vendor security advisory Delta-PCSA-2025-00002 for additional technical details.
• Implement network segmentation to isolate CNCSoft-G2 installations from business networks and the Internet.
• Block untrusted Internet links and unsolicited email attachments at the email gateway and endpoint level.
• Use VPN for any required remote access to systems running CNCSoft-G2.
• Review CISA ICS recommended practices for defense-in-depth strategies applicable to industrial control systems.

Evidence notes

CISA ICS Advisory ICSA-24-191-01 (Update A) documents this vulnerability in Delta Electronics CNCSoft-G2 version 2.0.0.5. The advisory was initially published 2024-07-09 and modified 2025-02-18 to include the fixed version. CVSS 3.1 score of 7.8 (HIGH) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Official resources