PatchSiren cyber security CVE debrief
CVE-2024-47965 Delta Electronics CVE debrief
CVE-2024-47965 is a high-severity out-of-bounds read vulnerability in Delta Electronics CNCSoft-G2 version 2.1.0.10, published by CISA on October 10, 2024. The flaw stems from improper validation of user-supplied data, allowing an attacker to read past the end of an allocated buffer. Successful exploitation requires user interaction—specifically, tricking a user into visiting a malicious page or opening a malicious file—after which code execution can occur in the context of the current process. The CVSS 3.1 score of 7.8 reflects high impacts to confidentiality, integrity, and availability, with a local attack vector and required user interaction. Delta Electronics has released a patched version, and CISA provides social engineering mitigations given the user-interaction dependency of this vulnerability.
- Vendor
- Delta Electronics
- Product
- CNCSoft-G2
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-10
- Original CVE updated
- 2024-10-10
- Advisory published
- 2024-10-10
- Advisory updated
- 2024-10-10
Who should care
Organizations operating Delta Electronics CNCSoft-G2 in industrial control system environments, particularly manufacturing and automation facilities using CNC (Computer Numerical Control) systems. Security teams responsible for OT/ICS asset management, patch management programs covering industrial software, and personnel involved in user awareness training for social engineering defense should prioritize this vulnerability given its high severity and the user-interaction attack vector.
Technical summary
CVE-2024-47965 is an out-of-bounds read vulnerability in Delta Electronics CNCSoft-G2 version 2.1.0.10, caused by improper validation of user-supplied data. The vulnerability allows reading beyond allocated buffer boundaries, which can be leveraged to achieve code execution in the context of the current process. Exploitation requires user interaction: an attacker must convince a user to visit a malicious web page or open a malicious file. The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates that while the attack vector is local and requires user interaction, successful exploitation results in high impact across confidentiality, integrity, and availability. Delta Electronics has released version 2.1.0.16 to address this vulnerability.
Defensive priority
HIGH
Recommended defensive actions
- Update Delta Electronics CNCSoft-G2 to version 2.1.0.16 or later as provided by the vendor.
- Implement user awareness training to recognize and avoid social engineering attacks, particularly unsolicited emails with web links or attachments.
- Apply network segmentation and least-privilege principles to limit potential impact if exploitation occurs.
- Monitor for anomalous process behavior in CNCSoft-G2 deployments that may indicate attempted exploitation.
Evidence notes
Vulnerability details and remediation guidance are derived from CISA CSAF advisory ICSA-24-284-21, which identifies the affected product as Delta Electronics CNCSoft-G2 version 2.1.0.10. The advisory specifies that improper validation of user-supplied data leads to an out-of-bounds read, with exploitation requiring user interaction through malicious pages or files. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H confirms local attack vector with required user interaction but high impact potential. Vendor fix to version 2.1.0.16 or later is documented in the CSAF remediation section.
Official resources
-
CVE-2024-47965 CVE record
CVE.org
-
CVE-2024-47965 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-10