PatchSiren cyber security CVE debrief
CVE-2024-39882 Delta Electronics CVE debrief
Delta Electronics CNCSoft-G2 contains an out-of-bounds read vulnerability due to improper validation of user-supplied data. The flaw exists in version 2.0.0.5 and can be triggered when a target visits a malicious page or opens a malicious file, potentially allowing an attacker to execute arbitrary code within the context of the current process. CISA published the initial advisory on July 9, 2024, with an update on February 18, 2025 that added the fixed version information. The vulnerability carries a CVSS 3.1 score of 7.8 (HIGH severity) with a vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, but user interaction needed. Delta Electronics has released version 2.1.0.20 or later to address this vulnerability.
- Vendor
- Delta Electronics
- Product
- CNCSoft-G2
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2025-02-18
- Advisory published
- 2024-07-09
- Advisory updated
- 2025-02-18
Who should care
Organizations operating Delta Electronics CNCSoft-G2 in manufacturing, industrial automation, and CNC machining environments should prioritize patching. Security teams responsible for OT/ICS environments, plant engineers, and system integrators deploying Delta CNC solutions should assess exposure and implement mitigations. Given the user-interaction attack vector, operator training and email security controls are particularly relevant.
Technical summary
CVE-2024-39882 is an out-of-bounds read vulnerability in Delta Electronics CNCSoft-G2 version 2.0.0.5. The vulnerability stems from improper validation of user-supplied data, which can result in reading past the end of an allocated buffer. Successful exploitation requires user interaction—either visiting a malicious web page or opening a malicious file. If exploited, the vulnerability allows an attacker to execute arbitrary code in the context of the current process. The CVSS 3.1 score of 7.8 reflects high impacts to confidentiality, integrity, and availability. Delta Electronics has addressed this issue in version 2.1.0.20. The February 2025 advisory update also references related vulnerability CVE-2025-22880, suggesting coordinated fixes for multiple security issues in the product.
Defensive priority
HIGH
Recommended defensive actions
- Update Delta Electronics CNCSoft-G2 to version 2.1.0.20 or later as recommended by the vendor
- Review Delta-PCSA-2025-00002 security advisory for additional technical details
- Implement network segmentation to isolate CNCSoft-G2 systems from business networks and the Internet
- Deploy host-based protections and application whitelisting on systems running CNCSoft-G2
- Train operators to avoid clicking untrusted links or opening unsolicited email attachments
- Use VPN for any required remote access to affected systems
- Apply defense-in-depth strategies per CISA ICS recommended practices
Evidence notes
Vulnerability confirmed in Delta Electronics CNCSoft-G2 version 2.0.0.5. Root cause identified as improper validation of user-supplied data leading to out-of-bounds read. Attack vector requires user interaction through visiting a malicious page or opening a malicious file.
Official resources
-
CVE-2024-39882 CVE record
CVE.org
-
CVE-2024-39882 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published initial advisory ICSA-24-191-01 on July 9, 2024. Update A was released on February 18, 2025 to include the fixed version for CVE-2024-39882 and reference an additional related issue CVE-2025-22880.