CVE-2024-4192 Delta Electronics CVE debrief

Who should care

Organizations using Delta Electronics CNCSoft-G2 for HMI configuration in industrial automation environments, particularly manufacturing facilities with Delta DOP series operator panels. Security teams responsible for OT/ICS asset management and patch deployment should prioritize this update due to the high impact potential and availability of a vendor fix.

Technical summary

CVE-2024-4192 is a stack-based buffer overflow in Delta Electronics CNCSoft-G2, an HMI (Human-Machine Interface) configuration software used with Delta DOP series touch panels. The vulnerability exists in file parsing functionality where user-supplied data length is not properly validated before being copied to a fixed-length stack buffer. Successful exploitation allows arbitrary code execution with the privileges of the current process. The attack requires local access and user interaction, with attack complexity rated as low. This vulnerability affects CNCSoft-G2 version 2.0.0.5 and earlier when used with DOPSoft v5.0.0.93. Delta Electronics released version 2.1.0.4 as a security update. The October 2025 advisory update modified affected product listings and mitigation guidance.

Defensive priority

HIGH

Recommended defensive actions

• Update CNCSoft-G2 to version 2.1.0.4 or later to remediate this vulnerability
• Review Delta Electronics published security advisory for additional technical details
• Apply defense-in-depth practices for industrial control systems per CISA guidance
• Restrict local access to engineering workstations running CNCSoft-G2
• Monitor for anomalous process behavior on systems running affected versions

Evidence notes

CISA ICS advisory ICSA-24-121-01 (Update A) published 2024-04-30, modified 2025-10-16. CVSS 3.1 score 7.8 (HIGH). Vendor fix available in CNCSoft-G2 v2.1.0.4 or later.

Official resources