PatchSiren cyber security CVE debrief
CVE-2024-47963 Delta Electronics CVE debrief
Delta Electronics CNCSoft-G2 contains an out-of-bounds write vulnerability due to improper validation of user-supplied data. The flaw, published on 2024-10-10, allows an attacker to execute arbitrary code in the context of the current process by convincing a user to open a malicious file or visit a malicious page. The vulnerability affects CNCSoft-G2 version 2.1.0.10 and is rated HIGH severity with a CVSS 3.1 score of 7.8. The attack requires local access with user interaction, but no privileges are needed. Delta Electronics has released version 2.1.0.16 to address this issue.
- Vendor
- Delta Electronics
- Product
- CNCSoft-G2
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-10
- Original CVE updated
- 2024-10-10
- Advisory published
- 2024-10-10
- Advisory updated
- 2024-10-10
Who should care
Organizations using Delta Electronics CNCSoft-G2 for CNC machine programming and control, particularly in manufacturing and industrial automation environments. Security teams responsible for protecting operational technology (OT) environments and engineering workstations should prioritize patching. Organizations with bring-your-own-device policies or remote access to engineering systems face elevated risk due to the social engineering attack vector.
Technical summary
CVE-2024-47963 is an out-of-bounds write vulnerability in Delta Electronics CNCSoft-G2 version 2.1.0.10. The root cause is improper validation of user-supplied data, which can result in writing past the end of an allocated buffer. The vulnerability is exploitable when a user opens a malicious file or visits a malicious page, leading to arbitrary code execution in the context of the current process. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates local attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. This vulnerability is particularly concerning in industrial environments where CNCSoft-G2 is used for machine tool programming and control, as successful exploitation could compromise engineering workstations and potentially extend to connected industrial equipment.
Defensive priority
HIGH
Recommended defensive actions
- Update Delta Electronics CNCSoft-G2 to version 2.1.0.16 or later as provided by the vendor.
- Implement application whitelisting to prevent execution of unauthorized software on engineering workstations running CNCSoft-G2.
- Restrict network access for systems running CNCSoft-G2 to essential communications only, following defense-in-depth principles for industrial control systems.
- Train users to recognize and avoid social engineering attacks, including unsolicited emails with attachments or web links.
- Apply the principle of least privilege to user accounts on systems hosting CNCSoft-G2.
Evidence notes
Vulnerability disclosed in CISA ICS Advisory ICSA-24-284-21 on 2024-10-10. Affected product confirmed as Delta Electronics CNCSoft-G2 version 2.1.0.10. Vendor fix available in version 2.1.0.16 or later.
Official resources
-
CVE-2024-47963 CVE record
CVE.org
-
CVE-2024-47963 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-10