Delta Electronics’ CNCSoft‑G2 has been the focus of a coordinated disclosure that exposes a file‑parsing out‑of‑bounds write (CWE‑787) in the DPAX project file handler — a flaw tracked as CVE‑2025‑47728 that can lead to arbitrary code execution when a user opens a specially crafted file, and which vendors and incident responders say should be patched immediately.
Delta Electronics develops widely used Human‑Machine Interface (HMI) and CNC management tools that service manufacturing and energy sector customers worldwide. Over the last year security researchers working with Trend Micro’s Zero Day Initiative (ZDI) reported multiple parsing bugs in CNCSoft‑G2 that target project file formats (DPAX among them), and the vendor has responded with a series of advisories and fixes. The coordinated disclosures culminated in the CVE‑2025‑47728 advisory and vendor patch guidance referenced in the public advisories and researcher writeups.
Multiple authoritative trackers and advisories confirm the technical facts at the heart of this issue: ZDI’s advisory (ZDI‑25‑411) documents CVE‑2025‑47728 and explains the DPAX parser memory‑corruption vector, while national vulnerability feeds (NVD) reflect the CVE entry and point to Delta’s own product security advisory. (zerodayinitiative.com, nvd.nist.gov)
Caution: public advisories across February–June 2025 show different “affected version” boundaries for related CVEs in CNCSoft‑G2; administrators should verify the exact patched build for their deployment by checking the vendor advisory tied to CVE‑2025‑47728 and the corresponding download center entry. The vendor advisory referenced in multiple trackers points to a fixed build (the vendor’s security PDF) as the definitive source. (nvd.nist.gov, zerodayinitiative.com)
Where public payloads or proof‑of‑concepts are concerned, no confirmed in‑the‑wild exploitation of CVE‑2025‑47728 had been reported in the advisories at publication; however, the lack of reported incidents in public feeds is not a guarantee of safety. If internal telemetry shows anomalous application crashes or unexpected outbound connections from engineering hosts, assume compromise until proven otherwise and follow incident response procedures. (cisa.gov)
Delta’s and ZDI’s advisories, together with national guidance, make the remediation path clear — patch the affected CNCSoft‑G2 instances, harden engineering workstations, and treat project file exchange with the same scrutiny applied to executable code. This is not a theoretical threat: an exploit chain that begins with a malicious project file can quickly translate into operational disruption in critical manufacturing and energy environments.
Source: CISA Delta Electronics CNCSoft-G2 | CISA
Background / Overview
Delta Electronics develops widely used Human‑Machine Interface (HMI) and CNC management tools that service manufacturing and energy sector customers worldwide. Over the last year security researchers working with Trend Micro’s Zero Day Initiative (ZDI) reported multiple parsing bugs in CNCSoft‑G2 that target project file formats (DPAX among them), and the vendor has responded with a series of advisories and fixes. The coordinated disclosures culminated in the CVE‑2025‑47728 advisory and vendor patch guidance referenced in the public advisories and researcher writeups.Multiple authoritative trackers and advisories confirm the technical facts at the heart of this issue: ZDI’s advisory (ZDI‑25‑411) documents CVE‑2025‑47728 and explains the DPAX parser memory‑corruption vector, while national vulnerability feeds (NVD) reflect the CVE entry and point to Delta’s own product security advisory. (zerodayinitiative.com, nvd.nist.gov)
What the vulnerability is — technical summary
DPAX file parsing leads to memory corruption
- The vulnerability is a parsing defect in the DPAX project file handler inside CNCSoft‑G2.
- Improper input validation allows crafted DPAX files to cause an out‑of‑bounds write (CWE‑787), producing memory corruption that an attacker can convert into code execution in the process context.
- The exploit requires the victim to open or otherwise process a malicious DPAX file (user interaction), but does not require prior authentication or elevated privileges if the user already runs the application. This makes engineering and operator workstations especially attractive targets because those systems often run with broad access to OT networks and devices. (zerodayinitiative.com, nvd.nist.gov)
How exploitation works (high level)
- An attacker crafts a DPAX project file with specially formed fields that violate expected size/length checks.
- When CNCSoft‑G2 parses the file, the buggy code copies or writes outside the intended buffer, corrupting heap or object state.
- The memory corruption can be weaponized (typical steps include corrupting function pointers, vtables, or return addresses) to execute attacker code with the privileges of the running process.
- Outcome: arbitrary code execution within CNCSoft‑G2; if that workstation has network access to controllers or file shares, the attacker can pivot or deploy further payloads.
Affected products and versions — what to patch
Delta’s coordinated advisories covering multiple related parsing flaws list specific affected builds across several CVEs. For CVE‑2025‑47728 the public record shows:- CNCSoft‑G2: versions at or prior to certain 2.1.x builds are implicated in DPAX parsing issues; vendors have produced updated builds. Different advisories over time list specific affected sub‑versions (for example, earlier advisories referenced v2.1.0.10 or 2.1.0.16 for other CVEs in the same family). This advisory cluster is part of an ongoing remediation campaign across multiple parsing CVEs. (cisa.gov)
Caution: public advisories across February–June 2025 show different “affected version” boundaries for related CVEs in CNCSoft‑G2; administrators should verify the exact patched build for their deployment by checking the vendor advisory tied to CVE‑2025‑47728 and the corresponding download center entry. The vendor advisory referenced in multiple trackers points to a fixed build (the vendor’s security PDF) as the definitive source. (nvd.nist.gov, zerodayinitiative.com)
Severity, scoring, and exploitability
- CVE scoring varies across trackers and revisions. ZDI lists a CVSS v3.1 base of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) for the DPAX parsing memory corruption class of flaws, while CISA advisories for related CNCSoft‑G2 bugs have published CVSS v4 base values of 8.4–8.5 for similar heap/stack/out‑of‑bounds errors. NVD/CVE entries for CVE‑2025‑47728 note CWE‑787 (out‑of‑bounds write) as the underlying class. (zerodayinitiative.com, cisa.gov, nvd.nist.gov)
- Attack vector: local (AV:L) — an attacker must get a malicious file onto a target or induce an authenticated user to open a file. Attack complexity is typically low for these parsing bugs because exploitation does not rely on exotic conditions. User interaction is required (UI:R), which is a key mitigating factor but not a reliable defense in modern threat environments where social engineering and supply‑chain file exchange are common. (zerodayinitiative.com, cisa.gov)
- Public exploitation: as of the latest vendor and national advisories, there were no confirmed reports of active, in‑the‑wild exploitation specific to CVE‑2025‑47728, but that absence is not proof of safety — similar parsing vulnerabilities have historically been weaponized quickly once PoCs circulated. Agencies and vendors emphasize rapid patching because the combination of low complexity and high impact creates an attractive target. (cisa.gov, zerodayinitiative.com)
Mitigation and patch guidance (operational steps)
Delta and coordinated responders (ZDI, CISA) have published the following practical guidance:- Immediate action (patch): Install the CNCSoft‑G2 update that explicitly addresses the DPAX parsing memory corruption vulnerability. Confirm the CVE identifier (CVE‑2025‑47728) and the vendor advisory (Delta‑PCSA‑2025‑00007) when selecting the download. (Delta’s advisory PDFs are referenced by both ZDI and NVD as the canonical remediation documents.) (zerodayinitiative.com, nvd.nist.gov)
- Temporary compensating controls if patching is delayed:
- Block inbound project files from untrusted sources. Where possible, restrict the types of files engineering workstations can open and scan project files with updated AV/EDR solutions prior to opening.
- Enforce least privilege — avoid running engineering software as an administrative/system account. If CNCSoft‑G2 must run with elevated rights for specific workflows, consider isolating that function to a tightly controlled VM or jump host.
- Network segmentation — isolate engineering/OT workstations from the corporate internet and from each other where possible to reduce lateral movement risk.
- Mail / file hygiene — filter and quarantine attachments that are DPAX or other project file types if they come from outside trusted vendors or partners.
- Strict application allow‑listing for critical engineering hosts to reduce the ability of a successful exploit to execute arbitrary payloads. (cisa.gov)
- Incident procedures: If suspicious DPAX files are discovered or unexpected application crashes/memory corruption events occur on engineering hosts, follow internal incident response processes, preserve logs and affected files, and consider contacting the vendor’s security support and national CSIRT/ICS‑CERT channels for correlation and guidance. CISA encourages reporting suspected incidents to help correlate activity across sectors. (cisa.gov)
Operational impact for industrial environments
Engineering stations and HMI hosts often sit at a privileged junction between design artifacts and field controllers. A successful exploit that gains code execution on an engineering workstation can lead to:- Tampering with control logic, configuration, or firmware that is then deployed to PLCs or HMIs.
- Lateral movement into trusted OT network segments, because engineering hosts commonly have broad access to industrial device management interfaces.
- Stealthy persistence and sabotage: an attacker can modify project files or automation sequences in ways that degrade safety or cause physical disruption while evading detection.
- Intellectual property exfiltration: project files frequently contain machine tool parameters, process recipes, or control sequences that are proprietary and commercially valuable.
Vendor response, disclosure timeline, and coordination
- Reporting and coordination: Trend Micro’s ZDI reported the DPAX parsing issue and coordinated disclosure with Delta; the ZDI advisory (ZDI‑25‑411) documents the timeline and credits the researcher. Delta issued product security advisories that mirror the technical descriptions and provide remediation downloads and instructions. (zerodayinitiative.com)
- Multiple advisories over time: Delta and CISA have released multiple related advisories addressing separate parsing bugs in CNCSoft‑G2 (stack/heap/out‑of‑bounds/reads/uninitialized variables), with CVEs spanning late 2024 through mid‑2025. As a result, administrators should not rely on a single advisory date — instead, verify whether all advisories and corresponding patches relevant to their installed CNCSoft‑G2 build have been applied. This advisory cluster underscores how a family of related parsing bugs can require multiple remediation steps. (cisa.gov)
Critical analysis — strengths and weaknesses of the response
Notable strengths
- Coordinated disclosure: The research community (ZDI) and the vendor coordinated to publish advisories and fixes, reducing the risk window and providing security teams with concrete remediation steps. The availability of vendor PDFs and tracker entries gives defenders clear artifacts to validate patches against. (zerodayinitiative.com, nvd.nist.gov)
- Clear mitigation guidance from authorities: CISA’s ICS advisories consistently emphasize defense‑in‑depth, network segmentation, and reduced exposure of engineering systems to untrusted inputs — practical measures that align with industrial cybersecurity best practices. (cisa.gov)
Potential risks and gaps
- Patch fragmentation: Multiple CVEs and overlapping advisories across a product family increase the chance that organizations will miss a specific fix for CVE‑2025‑47728. Different advisories list different “affected version” thresholds (e.g., v2.1.0.10 vs v2.1.0.16 vs other 2.1.x builds). Organizations must validate the exact patch applied against the specific CVE and vendor advisory. This fragmentation increases operational complexity during rollouts. (cisa.gov)
- Local vector, but realistic threat: Though the attack vector is local (AV:L), the real‑world paths to local execution are numerous in ICS: shared USB media, emailed project files, vendor or integrator transfers, and supply‑chain sharing. Social engineering and misconfigured file servers can make “local” exploitation achievable at scale. Relying on user caution alone is insufficient. (zerodayinitiative.com, cisa.gov)
- Inventory and update challenges: OT environments are notorious for slow patch cycles and frozen images maintained for stability. Organizations must ensure all copies (production, backup images, DR media) are inventoried and updated; otherwise the presence of an unpatched image in backups undermines the remediation. CISA and vendors urge administrators to include offline images in patch verification. (cisa.gov)
Practical checklist — what industrial IT / OT teams should do now
- Verify whether CNCSoft‑G2 is installed anywhere in your environment (engineering hosts, jump boxes, test benches, offline VMs).
- Identify the exact installed version for each instance; cross‑check against the vendor advisory tied to CVE‑2025‑47728. Do not assume a single “latest” update covers all CVEs — confirm the CVE list in the vendor PDF. (zerodayinitiative.com, nvd.nist.gov)
- Download and apply the vendor patch that specifically remediates the DPAX parsing memory corruption (follow vendor instructions and test in a controlled staging environment first).
- Quarantine and scan any DPAX or project files received from external parties before opening. Use sandboxing where feasible.
- Implement or reinforce network segmentation and access controls on engineering hosts; reduce direct connectivity to the internet and limit file sharing paths.
- Enforce least‑privilege execution for engineering tools and enable application allow‑listing on critical workstations.
- Review backups and disaster recovery images for unpatched software and update them accordingly.
- Update incident response playbooks to include file‑parsing exploit detection (application logs, crash signatures) and reporting to national CSIRTs or vendor incident contacts. (cisa.gov)
Flagging unverifiable or inconsistent claims
A review of public advisories shows some inconsistency in which CNCSoft‑G2 sub‑versions are cited as “affected” across different CVEs and advisory dates (for related but distinct parsing bugs). These discrepancies are not unusual when a product sees multiple coordinated disclosures over time, but they create risk for operators who may assume a generic “2.1.0.x” coverage. The reliable approach is to consult the vendor advisory PDF associated with the CVE in question (Delta‑PCSA‑2025‑00007 for CVE‑2025‑47728) and verify the exact patched build before declaring a host remediated. If the vendor PDF or download page cannot be reached directly, consult the ZDI advisory and the NVD/CVE entry as cross‑references. (zerodayinitiative.com, nvd.nist.gov)Where public payloads or proof‑of‑concepts are concerned, no confirmed in‑the‑wild exploitation of CVE‑2025‑47728 had been reported in the advisories at publication; however, the lack of reported incidents in public feeds is not a guarantee of safety. If internal telemetry shows anomalous application crashes or unexpected outbound connections from engineering hosts, assume compromise until proven otherwise and follow incident response procedures. (cisa.gov)
Wider lessons for ICS/OT security
- Treat engineering tools and file formats as first‑class attack surfaces. Project files are a natural vector for attackers because they are exchanged frequently and can encode complex instructions for physical systems.
- Keep a centralized, regularly updated software inventory that includes not just production servers but engineering workstations, test benches, and offline recovery images.
- Invest in file‑handling hygiene: sandboxing, scanning, and content filtering for project file types (DPAX, PM3, VPM, etc.) common in OT ecosystems.
- Prioritize coordinated disclosure and vendor engagement: the Delta/ZDI/CISA sequence is a good example of how research and responsible disclosure can limit exposure — but defenders must translate advisories into organizational action promptly. (zerodayinitiative.com, cisa.gov)
Conclusion
CVE‑2025‑47728 is another reminder that file parsing bugs in engineering and HMI software are high‑impact vulnerabilities for the industrial sector. The DPAX parser out‑of‑bounds write in CNCSoft‑G2 can yield arbitrary code execution when a crafted file is opened, and vendors and national authorities have coordinated to publish advisories and patches. Engineering and OT teams must act quickly: inventory affected installs, apply the vendor patch tied to the CVE, and apply compensating controls (segmentation, least privilege, file scanning) where patching cannot be completed immediately. The technical facts and vendor responses are documented in the ZDI advisory and NVD/CISA entries; administrators should use those authoritative artifacts to validate the exact remedial build for their environment before sweeping into change windows. (zerodayinitiative.com, nvd.nist.gov, cisa.gov)Delta’s and ZDI’s advisories, together with national guidance, make the remediation path clear — patch the affected CNCSoft‑G2 instances, harden engineering workstations, and treat project file exchange with the same scrutiny applied to executable code. This is not a theoretical threat: an exploit chain that begins with a malicious project file can quickly translate into operational disruption in critical manufacturing and energy environments.
Source: CISA Delta Electronics CNCSoft-G2 | CISA