PatchSiren cyber security CVE debrief
CVE-2025-22883 Delta Electronics CVE debrief
CVE-2025-22883 affects Delta Electronics ISPSoft versions 3.19 and prior. According to the CISA CSAF advisory, the issue is an out-of-bounds write that can allow arbitrary code execution when ISPSoft parses DVP files. Delta recommends updating to ISPSoft v3.21 or later. This is a high-severity issue (CVSS 7.8) and is especially important for environments where engineering workstations routinely open DVP files from external or untrusted sources.
- Vendor
- Delta Electronics
- Product
- ISPSoft
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-29
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-29
- Advisory updated
- 2025-05-06
Who should care
OT/ICS teams using Delta Electronics ISPSoft, engineering workstation owners, automation engineers, plant security teams, and vulnerability management teams responsible for Windows-based engineering tools used to open DVP project files.
Technical summary
The advisory describes a memory corruption condition in ISPSoft's DVP file parsing logic. A crafted DVP file can trigger an out-of-bounds write, which may lead to arbitrary code execution. The supplied CVSS vector indicates local attack conditions with required user interaction (AV:L/UI:R), no privileges needed, and potential high impact to confidentiality, integrity, and availability.
Defensive priority
High for any organization that uses ISPSoft in operational or engineering workflows, particularly where DVP files may be transferred from external parties or shared across trust boundaries. Patch prioritization should be elevated for exposed engineering workstations and shared file-handling environments.
Recommended defensive actions
- Update Delta Electronics ISPSoft to version 3.21 or later, as recommended in the vendor advisory.
- Inventory engineering workstations and confirm which systems have ISPSoft version 3.19 or earlier installed.
- Treat DVP files from outside trusted workflows as untrusted input and review file-handling procedures accordingly.
- Reduce exposure of engineering workstations by following CISA ICS recommended practices, including segmentation and limiting unnecessary software on critical systems.
- Use application control, least privilege, and workstation hardening measures appropriate for ICS engineering environments.
- Monitor vendor and CISA advisories for any follow-up guidance or corrections related to CVE-2025-22883.
Evidence notes
Primary evidence comes from the CISA CSAF advisory for ICSA-25-119-02, which identifies Delta Electronics ISPSoft versions 3.19 and prior as affected by an out-of-bounds write during DVP parsing and states that updating to v3.21 or later is the vendor recommendation. The CVSS 3.1 vector and score are included in the supplied source item metadata. The advisory was initially published on 2025-04-29 and revised on 2025-05-06 for typo fixes.
Official resources
-
CVE-2025-22883 CVE record
CVE.org
-
CVE-2025-22883 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2025-04-29 and issued a revision on 2025-05-06 for typo fixes. The CVE is not listed in CISA KEV in the supplied data.