Patch CVE-2025-47728: Delta CNCSoft-G2 DPAX Parser Out-of-Bounds Write

Delta Electronics’ CNCSoft‑G2 has been the focus of a coordinated disclosure that exposes a file‑parsing out‑of‑bounds write (CWE‑787) in the DPAX project file handler — a flaw tracked as CVE‑2025‑47728 that can lead to arbitrary code execution when a user opens a specially crafted file, and which vendors and incident responders say should be patched immediately.

Background / Overview​

Delta Electronics develops widely used Human‑Machine Interface (HMI) and CNC management tools that service manufacturing and energy sector customers worldwide. Over the last year security researchers working with Trend Micro’s Zero Day Initiative (ZDI) reported multiple parsing bugs in CNCSoft‑G2 that target project file formats (DPAX among them), and the vendor has responded with a series of advisories and fixes. The coordinated disclosures culminated in the CVE‑2025‑47728 advisory and vendor patch guidance referenced in the public advisories and researcher writeups.
Multiple authoritative trackers and advisories confirm the technical facts at the heart of this issue: ZDI’s advisory (ZDI‑25‑411) documents CVE‑2025‑47728 and explains the DPAX parser memory‑corruption vector, while national vulnerability feeds (NVD) reflect the CVE entry and point to Delta’s own product security advisory. (nvd.nist.gov)

---

What the vulnerability is — technical summary​

DPAX file parsing leads to memory corruption​

• The vulnerability is a parsing defect in the DPAX project file handler inside CNCSoft‑G2.
• Improper input validation allows crafted DPAX files to cause an out‑of‑bounds write (CWE‑787), producing memory corruption that an attacker can convert into code execution in the process context.
• The exploit requires the victim to open or otherwise process a malicious DPAX file (user interaction), but does not require prior authentication or elevated privileges if the user already runs the application. This makes engineering and operator workstations especially attractive targets because those systems often run with broad access to OT networks and devices. (nvd.nist.gov)

How exploitation works (high level)​

• An attacker crafts a DPAX project file with specially formed fields that violate expected size/length checks.
• When CNCSoft‑G2 parses the file, the buggy code copies or writes outside the intended buffer, corrupting heap or object state.
• The memory corruption can be weaponized (typical steps include corrupting function pointers, vtables, or return addresses) to execute attacker code with the privileges of the running process.
• Outcome: arbitrary code execution within CNCSoft‑G2; if that workstation has network access to controllers or file shares, the attacker can pivot or deploy further payloads.

ZDI’s advisory and the vendor notice both describe the parsing root cause and provide timelines for reporting and disclosure. (cisa.gov)

---

Affected products and versions — what to patch​

Delta’s coordinated advisories covering multiple related parsing flaws list specific affected builds across several CVEs. For CVE‑2025‑47728 the public record shows:

• CNCSoft‑G2: versions at or prior to certain 2.1.x builds are implicated in DPAX parsing issues; vendors have produced updated builds. Different advisories over time list specific affected sub‑versions (for example, earlier advisories referenced v2.1.0.10 or 2.1.0.16 for other CVEs in the same family). This advisory cluster is part of an ongoing remediation campaign across multiple parsing CVEs.

Delta’s product security advisory for CVE‑2025‑47728 (Delta‑PCSA‑2025‑00007) and associated ZDI disclosure point customers to an updated release; vendor guidance published in coordination with ZDI recommends moving to the patched CNCSoft‑G2 build that resolves DPAX parsing memory‑corruption issues. Public trackers also list vendor advisory PDFs that contain the official remediation steps. Because Delta has issued multiple advisories and incremental fixes for separate but related parsing bugs, administrators must ensure they have applied the correct patch that specifically addresses CVE‑2025‑47728 rather than assuming any single update clears every prior issue. (nvd.nist.gov)
Caution: public advisories across February–June 2025 show different “affected version” boundaries for related CVEs in CNCSoft‑G2; administrators should verify the exact patched build for their deployment by checking the vendor advisory tied to CVE‑2025‑47728 and the corresponding download center entry. The vendor advisory referenced in multiple trackers points to a fixed build (the vendor’s security PDF) as the definitive source. (zerodayinitiative.com)

---

Severity, scoring, and exploitability​

• CVE scoring varies across trackers and revisions. ZDI lists a CVSS v3.1 base of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) for the DPAX parsing memory corruption class of flaws, while CISA advisories for related CNCSoft‑G2 bugs have published CVSS v4 base values of 8.4–8.5 for similar heap/stack/out‑of‑bounds errors. NVD/CVE entries for CVE‑2025‑47728 note CWE‑787 (out‑of‑bounds write) as the underlying class. (cisa.gov, zerodayinitiative.com, cisa.gov, zerodayinitiative.com, zerodayinitiative.com, zerodayinitiative.com, zerodayinitiative.com, zerodayinitiative.com, zerodayinitiative.com, zerodayinitiative.com, zerodayinitiative.com, cisa.gov)
  

  ---

  Delta’s and ZDI’s advisories, together with national guidance, make the remediation path clear — patch the affected CNCSoft‑G2 instances, harden engineering workstations, and treat project file exchange with the same scrutiny applied to executable code. This is not a theoretical threat: an exploit chain that begins with a malicious project file can quickly translate into operational disruption in critical manufacturing and energy environments.
  

  ---

  Source: CISA Delta Electronics CNCSoft-G2 | CISA