CVE-2026-1949 Deltaww CVE debrief

Who should care

OT/ICS defenders, plant operators, and system integrators who manage Delta Electronics AS320T devices, especially any unit running firmware earlier than 1.16.

Technical summary

The flaw is a stack buffer sizing error in the AS320T web service GET/PUT request handler. NVD maps the weakness to CWE-131 and rates the issue CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a remotely reachable issue with no privileges or user interaction required. The NVD CPE data marks AS320T firmware versions before 1.16 as affected.

Defensive priority

Immediate. Treat as a critical exposure on any internet- or network-reachable AS320T management interface and prioritize firmware remediation ahead of routine maintenance.

Recommended defensive actions

• Identify all Delta Electronics AS320T devices in the environment and confirm their firmware version.
• Prioritize devices running firmware earlier than 1.16 for immediate remediation.
• Apply the vendor-recommended firmware update or move to a non-vulnerable version at or above 1.16.
• Restrict access to the web service management interface to trusted admin networks only until remediation is complete.
• Monitor vendor advisory materials for any additional guidance related to the AS320T vulnerability set.

Evidence notes

Primary evidence comes from the NVD record for CVE-2026-1949 and the linked Delta Electronics advisory. The NVD entry shows publication on 2026-04-24 and modification on 2026-05-11, lists CWE-131, and marks AS320T firmware versions before 1.16 as vulnerable. The vendor advisory referenced by NVD is titled for multiple AS320T vulnerabilities including CVE-2026-1949.

Official resources