PatchSiren cyber security CVE debrief
CVE-2024-47964 Delta Electronics CVE debrief
CVE-2024-47964 is a heap-based buffer overflow vulnerability in Delta Electronics CNCSoft-G2 version 2.1.0.10, published by CISA on October 10, 2024. The flaw stems from improper validation of user-supplied data length before copying to a fixed-length heap buffer. An attacker can exploit this via social engineering—manipulating users to visit a malicious page or open a malicious file—to achieve code execution in the context of the current process. The vulnerability carries a CVSS 3.1 score of 7.8 (HIGH), with attack vector LOCAL, low attack complexity, no privileges required, and user interaction required. The CVSS 4.0 vector is also provided in the source advisory. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Delta Electronics has released a vendor fix in version 2.1.0.16 or later. CISA additionally recommends defensive measures against social engineering, including avoiding unsolicited email links and attachments.
- Vendor
- Delta Electronics
- Product
- CNCSoft-G2
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-10
- Original CVE updated
- 2024-10-10
- Advisory published
- 2024-10-10
- Advisory updated
- 2024-10-10
Who should care
Organizations operating Delta Electronics CNCSoft-G2 in industrial automation environments, particularly manufacturing and CNC machining facilities. Security teams responsible for OT/ICS asset protection, patch management personnel, and end-users of CNCSoft-G2 software who may be targeted by social engineering attacks.
Technical summary
The vulnerability exists in Delta Electronics CNCSoft-G2 version 2.1.0.10 due to insufficient validation of data length before copying user-supplied input to a fixed-length heap-based buffer. This classic heap buffer overflow condition can be triggered when a user is manipulated into visiting a malicious page or opening a malicious file. Successful exploitation results in arbitrary code execution within the context of the current process. The attack requires local access (AV:L) and user interaction (UI:R), but no privileges are required (PR:N). The CVSS 3.1 score of 7.8 reflects high impacts to confidentiality, integrity, and availability. The vendor has addressed this in version 2.1.0.16.
Defensive priority
HIGH
Recommended defensive actions
- Update Delta Electronics CNCSoft-G2 to version 2.1.0.16 or later as provided by the vendor.
- Implement network segmentation and restrict external access to systems running CNCSoft-G2 to reduce exposure to malicious files or pages.
- Train users to recognize and avoid social engineering attacks, including phishing emails with malicious attachments or links.
- Apply principle of least privilege to limit potential impact if exploitation occurs.
- Monitor for anomalous process behavior on systems running CNCSoft-G2 as a detection control.
Evidence notes
Vulnerability details and remediation guidance are derived from CISA CSAF advisory ICSA-24-284-21, which identifies the affected product as Delta Electronics CNCSoft-G2 version 2.1.0.10. The advisory specifies heap-based buffer overflow due to missing length validation, local attack vector with user interaction, and provides CVSS 3.1 and 4.0 scoring. Vendor fix version 2.1.0.16 is explicitly recommended. No KEV entry or ransomware use is indicated in the source corpus.
Official resources
-
CVE-2024-47964 CVE record
CVE.org
-
CVE-2024-47964 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-10