CVE-2024-47966 Delta Electronics CVE debrief

Who should care

Organizations operating Delta Electronics CNCSoft-G2 in manufacturing, automation, or industrial environments should prioritize patching. Security teams defending OT/ICS environments and personnel responsible for endpoint protection on engineering workstations are particularly affected. The social engineering attack vector necessitates user awareness training alongside technical controls.

Technical summary

CVE-2024-47966 is a use of uninitialized memory vulnerability (CWE-908) in Delta Electronics CNCSoft-G2 version 2.1.0.10. The software fails to properly initialize memory before accessing it, creating conditions for memory corruption. An attacker can exploit this by convincing a user to interact with malicious content (web page or file), resulting in arbitrary code execution within the current process context. The attack requires local attack vector with user interaction, but no privileges are required. The vendor has addressed this in version 2.1.0.16.

Defensive priority

HIGH

Recommended defensive actions

• Update Delta Electronics CNCSoft-G2 to version 2.1.0.16 or later as provided by the vendor.
• Implement network segmentation to limit exposure of industrial control systems to untrusted networks.
• Train personnel to recognize and avoid social engineering attacks, including phishing emails and unsolicited attachments.
• Apply principle of least privilege to limit potential impact of successful exploitation.
• Monitor for anomalous process behavior that may indicate code execution attempts.

Evidence notes

CISA ICS advisory ICSA-24-284-21 confirms the vulnerability exists in CNCSoft-G2 version 2.1.0.10 due to improper memory initialization. The advisory states attackers can leverage this through user interaction with malicious content to achieve code execution. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H yields score 7.8. No KEV listing or known ransomware campaign use is indicated.

Official resources