PatchSiren cyber security CVE debrief
CVE-2025-22880 Delta Electronics CVE debrief
Delta Electronics CNCSoft-G2 Version 2.1.0.10 and prior contains a heap-based buffer overflow vulnerability due to improper validation of user-supplied data length before copying to a fixed-length buffer. This vulnerability allows remote code execution in the context of the current process when a target visits a malicious page or opens a malicious file. The vulnerability was initially disclosed on July 9, 2024, and subsequently updated on February 18, 2025, to include the fixed version information. Delta Electronics has released version 2.1.0.20 to address this vulnerability.
- Vendor
- Delta Electronics
- Product
- CNCSoft-G2
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2025-02-18
- Advisory published
- 2024-07-09
- Advisory updated
- 2025-02-18
Who should care
Organizations using Delta Electronics CNCSoft-G2 for CNC machine control and automation, particularly in manufacturing and industrial environments. Security teams responsible for OT/ICS infrastructure, system administrators managing CNCSoft-G2 deployments, and industrial engineers relying on this software for machine operations should prioritize patching. Organizations with CNCSoft-G2 systems accessible via network connections or with users who may receive external files face elevated risk.
Technical summary
CVE-2025-22880 is a heap-based buffer overflow in Delta Electronics CNCSoft-G2 Version 2.1.0.10 and prior. The vulnerability exists due to insufficient validation of user-supplied data length before copying to a fixed-length heap-based buffer. An attacker can exploit this by convincing a target to visit a malicious page or open a malicious file, resulting in arbitrary code execution within the context of the current process. The CVSS 3.1 score is 7.8 (HIGH). Delta Electronics has released version 2.1.0.20 to remediate this vulnerability.
Defensive priority
HIGH
Recommended defensive actions
- Update Delta Electronics CNCSoft-G2 to version 2.1.0.20 or later as recommended by the vendor.
- Review and apply Delta-PCSA-2025-00002 security advisory for additional technical details.
- Implement network segmentation to isolate CNCSoft-G2 systems from business networks and the Internet.
- Block untrusted Internet links and unsolicited email attachments at the email gateway and endpoint level.
- Disable or restrict remote access to CNCSoft-G2 systems; where required, enforce VPN-only access with strong authentication.
- Apply defense-in-depth strategies for industrial control systems per CISA guidance.
- Contact Delta Electronics support for product-related assistance if needed.
Evidence notes
CISA CSAF advisory ICSA-24-191-01 (Update A) published 2024-07-09, modified 2025-02-18. CVSS 3.1 score 7.8 (HIGH). Affected product: Delta Electronics CNCSoft-G2 <=2.1.0.10. Fixed version: 2.1.0.20 or later.
Official resources
-
CVE-2025-22880 CVE record
CVE.org
-
CVE-2025-22880 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Delta Electronics CNCSoft-G2 Version 2.1.0.10 and prior lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file anatt