PatchSiren cyber security CVE debrief
CVE-2025-3495 Delta Electronics CVE debrief
Delta Electronics COMMGR is affected by a critical authentication weakness caused by insufficiently randomized session IDs. According to the CISA advisory, an attacker could brute force a session ID and then load and execute arbitrary code. The advisory lists COMMGR Version 1 as end-of-life and indicates a fixed release is available in COMMGR v2.10.0.
- Vendor
- Delta Electronics
- Product
- COMMGR (Version 1)
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-15
- Original CVE updated
- 2025-09-04
- Advisory published
- 2025-04-15
- Advisory updated
- 2025-09-04
Who should care
Industrial control system operators, OT/security teams, and engineering staff using Delta Electronics COMMGR Version 1 or COMMGR Version 2 up to v2.9.0. This is especially important for environments where the software is reachable from untrusted networks or used for remote management.
Technical summary
CISA’s CSAF advisory describes CVE-2025-3495 as an insufficient-randomness issue in session ID generation. Because the session IDs can be brute forced, the flaw can be used to bypass authentication and reach code-execution impact, with CVSS 3.1 scored at 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The affected products in the advisory are Delta Electronics COMMGR Version 1 and COMMGR Version 2 up to and including v2.9.0; the advisory revision history shows an Update A on 2025-09-04 that updated mitigation guidance and affected versions.
Defensive priority
Immediate. Treat as a critical, network-exploitable issue with no privileges or user interaction required in the CVSS vector. Prioritize exposure reduction and upgrade planning now, especially for any OT or engineering workstation deployment.
Recommended defensive actions
- Upgrade to Delta Electronics COMMGR v2.10.0, which the advisory lists as the released fixed version.
- If you are still using COMMGR Version 1, treat it as end-of-life and plan replacement or migration immediately.
- Minimize network exposure for control system devices and software; do not leave them accessible from the Internet.
- When remote access is required, use secure methods such as VPNs.
- Place control system networks and remote devices behind firewalls and isolate them from the business network.
- Never connect programming software to any network other than the one intended for that device.
- Verify where COMMGR Version 2 v2.9.0 or earlier is installed and prioritize those assets for remediation.
Evidence notes
All claims are supported by the supplied CISA CSAF advisory and its revision history. The advisory explicitly states the weak session ID generation, the brute-force/authentication-bypass path, the arbitrary code execution impact, the affected product/version scope, Version 1 end-of-life status, and the availability of COMMGR v2.10.0. No KEV listing or ransomware-campaign association is present in the supplied source data.
Official resources
-
CVE-2025-3495 CVE record
CVE.org
-
CVE-2025-3495 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Initial publication: 2025-04-15T06:00:00.000Z. Update A: 2025-09-04T06:00:00.000Z, which updated mitigation guidance and affected versions.