Delta Electronics’ engineering tool EIP Builder contains an XML External Entity (XXE) vulnerability (CVE-2025-57704) that can expose sensitive files when the application parses crafted XML, and vendors and national incident responders now recommend an immediate upgrade to mitigate the risk. (cisa.gov)
Delta Electronics’ EIP Builder is an engineering configuration tool used in industrial automation workflows, particularly within the critical manufacturing sector. The Cybersecurity and Infrastructure Security Agency (CISA) published an ICS advisory for this issue on September 2, 2025, assigning the advisory code ICSA-25-245-01 and calling out an Improper Restriction of XML External Entity Reference (CWE-611) vulnerability. CISA’s advisory reports a CVSS v4 base score of 6.7 and notes low attack complexity for the condition described. (cisa.gov)
Delta Electronics has published a vendor Product Cybersecurity Advisory (Delta‑PCSA‑2025‑00013) confirming the issue, naming EIP Builder v1.11 and prior as affected and advising users to update to v1.12 or later. The vendor lists the vulnerability severity as Medium and provides an explicit remediation path via the product download center. (filecenter.deltaww.com)
CISA’s advisory stresses that even vulnerabilities that are not remotely exploitable can be weaponized via social engineering or as part of multi-stage intrusions. The advisory therefore recommends timely patching and standard ICS hardening practices. (cisa.gov)
Key action items to close the window of opportunity:
Conclusion
Delta Electronics’ EIP Builder vulnerability (CVE-2025-57704) has been responsibly disclosed and patched; the prioritized, immediate step for affected operators is to upgrade to v1.12 while applying defensive controls and parser hardening across the engineering toolchain. Combining vendor fixes with policy changes and secure XML practices will greatly reduce the chance that this class of vulnerability can be turned into operational compromise. (filecenter.deltaww.com, cisa.gov)
Source: CISA Delta Electronics EIP Builder | CISA
Delta Electronics’ EIP Builder is an engineering configuration tool used in industrial automation workflows, particularly within the critical manufacturing sector. The Cybersecurity and Infrastructure Security Agency (CISA) published an ICS advisory for this issue on September 2, 2025, assigning the advisory code ICSA-25-245-01 and calling out an Improper Restriction of XML External Entity Reference (CWE-611) vulnerability. CISA’s advisory reports a CVSS v4 base score of 6.7 and notes low attack complexity for the condition described. (cisa.gov)Delta Electronics has published a vendor Product Cybersecurity Advisory (Delta‑PCSA‑2025‑00013) confirming the issue, naming EIP Builder v1.11 and prior as affected and advising users to update to v1.12 or later. The vendor lists the vulnerability severity as Medium and provides an explicit remediation path via the product download center. (filecenter.deltaww.com)
What the vulnerability is (technical overview)
1. XXE / CWE‑611 in plain terms
An XML External Entity (XXE) vulnerability occurs when an XML parser blindly processes external entity references declared in a document’s DTD or body, allowing the XML consumer to include arbitrary external content during parsing. That content can be local files, remote URLs, or other system resources — which may result in information disclosure, server‑side request forgery (SSRF), or other secondary effects depending on the environment and parser configuration. The EIP Builder issue is described as a file parsing XML external entity processing information disclosure vulnerability. (nvd.nist.gov) (cisa.gov)2. Attack vector and exploitability
- The vendor and CISA both indicate the vulnerability is triggered when EIP Builder parses specially crafted XML content (for example, project files or imported configuration items). The public CVE and advisory metadata show the attack vector is local (AV:L), which implies the attacker must get a specially crafted file onto an engineering workstation that runs EIP Builder. (nvd.nist.gov, cisa.gov)
- CISA explicitly reports that the vulnerability is not remotely exploitable in the product’s default deployment model and that, as of publication, there were no known reports of in‑the‑wild exploitation tied to this CVE. Nevertheless, the advisory warns that successful exploitation could disclose sensitive information from the host. (cisa.gov)
- Public CVSS indicators: the vendor-calculated CVSS v3.1 base score is 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and the CVSS v4 base score is 6.7 (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N). These vectors reinforce the position that a local file or user interaction step is required, but the attack complexity is low. (cisa.gov, nvd.nist.gov)
Who and what is affected
- Affected product: EIP Builder, versions 1.11 and prior. Delta’s advisory and the national vulnerability listings both list v1.11 as the threshold. (filecenter.deltaww.com, nvd.nist.gov)
- Sector impact: CISA categorizes affected deployments as primarily in Critical Manufacturing, but Delta products are deployed worldwide across varied industrial environments. The potential impact is therefore global for organizations that use EIP Builder in their engineering toolchain. (cisa.gov)
- Practical exposure: Because the flaw is triggered by parsing files, typical exposure paths include email attachments, malicious or tampered project files from contractors or third parties, or malicious USB devices introduced to an engineering workstation.
Why this matters for industrial operators
Industrial engineering workstations are high-value targets. These systems often run with elevated access to OT assets, hold intellectual property (PLC programs, configuration files), and are trusted by downstream controllers. A successful XXE-based disclosure can leak configuration data, credentials or other sensitive artifacts from the engineering host — facilitating follow-on actions such as lateral movement, credential theft, or targeted sabotage.CISA’s advisory stresses that even vulnerabilities that are not remotely exploitable can be weaponized via social engineering or as part of multi-stage intrusions. The advisory therefore recommends timely patching and standard ICS hardening practices. (cisa.gov)
Vendor response and mitigation status
- Delta Electronics released a product advisory and provided EIP Builder v1.12 to address the issue; the vendor’s bulletin explicitly recommends upgrading to v1.12 or later. Delta marked the fix as available on August 26, 2025. (filecenter.deltaww.com)
- National tracking (NVD/CNA entries) show the CVE was entered and associated with Delta’s advisory in late August 2025. Public vulnerability aggregators reflect the vendor's CVSS v3.1 score and description. (nvd.nist.gov, cvedetails.com)
Practical, prioritized steps for administrators (operational checklist)
- Inventory
- Identify all engineering workstations, build servers, and shared file stores that run EIP Builder or store EIP Builder project files.
- Patch
- Download and install EIP Builder v1.12 or later in a controlled manner — first in staging, then production after validation. Follow vendor update instructions and verify binary checksums when available. (filecenter.deltaww.com)
- Containment
- Temporarily limit those systems’ access to external networks and remove unnecessary removable‑media read/write paths until you confirm the update is applied.
- Harden XML processing
- For custom in‑house tools that consume EIP Builder files or integrate with the engineering toolchain, disable DTD/external entity processing in XML libraries or use safe parsing defaults (see OWASP guidance below). This reduces the chance that other systems will be vulnerable to the same class of issue. (cheatsheetseries.owasp.org)
- Preventive hygiene
- Block or closely inspect inbound emails with attachments destined for engineering teams; enforce policies to avoid opening untrusted files on workstations used for control engineering.
- Recovery and images
- Update golden images, offline backups, and disaster recovery images to include the patched EIP Builder version; ensure rollback procedures are in place and validated.
- Monitoring and detection
- Review endpoint and application logs for suspicious file imports or XML parsing errors; look for unexpected file accesses from EIP Builder processes and anomalous outbound requests that could indicate entity resolution attempts.
- Full risk assessment
- Perform an impact analysis before making broad operational changes — especially in production ICS environments — to avoid inadvertent disruption. CISA emphasizes impact analysis and risk assessment as part of defensive measures. (cisa.gov)
Developer & security engineering guidance (how to prevent XXE in your stack)
The safest approach is to disable DTDs and external entity processing entirely in XML parsers used by internal tools or integrations. The OWASP XML External Entity Prevention Cheat Sheet provides actionable configuration examples for commonly used languages and libraries (Java, .NET, Python, PHP and more). It shows how to disable DTDs, set secure parser flags, or provide a no‑op entity resolver so parsers cannot resolve external entities. Follow these rules:- Prefer JSON or other simpler data formats when exchanging files that do not require XML features.
- Disable DTDs or external entity resolution in the parser (for example, set parser features that disallow doctypes, or set XmlResolver = null in .NET where applicable).
- If DTDs are required, strictly validate and whitelist any allowed references and enforce maximum entity expansion depths. (cheatsheetseries.owasp.org)
Detection, logging and forensic considerations
- Log file operations performed by EIP Builder processes, including read requests to local filesystem paths that are uncommon for normal operation (e.g., system configuration directories).
- Monitor for DNS lookups or HTTP(S) requests originating from engineering hosts that could indicate entity resolution or SSRF attempts.
- If suspicious activity is observed, collect volatile artifacts (running processes, loaded DLLs/shared libraries), copies of any suspicious XML files, and relevant logs; preserve chain-of-custody for incident response.
- Correlate any abnormal file‑read activity with recent inbound file transfers (email attachments, network shares, USB events) to trace the likely vector.
Assessment of risk and what to expect
- Strengths of the disclosure: the vendor issued a fix quickly and published a concise advisory with a clear remediation path (v1.12). CISA’s participation in publishing the ICS advisory provides an authoritative, consolidated description of the risk and recommended mitigations for industrial operators. These are positive practices that enable rapid remediation. (filecenter.deltaww.com, cisa.gov)
- Residual risk and limitations: because the flaw is a local file parsing vulnerability, it can be effectively mitigated by removing the malicious file or preventing the file from reaching engineering hosts — but that depends on procedural controls and user discipline. Attackers routinely combine social engineering and file-based exploits to reach trusted endpoints. Also, while CISA reported no known in‑the‑wild exploitation at publication, that status can change quickly; organizations should not treat the absence of reported exploitation as proof of safety. (cisa.gov)
- Unverifiable or evolving items: attribution of the researcher(s) and any detailed exploit chaining beyond the public advisory typically come from coordinated disclosure statements. CISA’s advisory credits the researcher alias kimiya, working with Trend Micro’s Zero Day Initiative, but separate technical writeups or exploit code were not released publicly. Treat such vendor/researcher attributions as factual as published, while acknowledging that additional context (exploit techniques, PoC code) can appear later in public repositories or security research writeups. (cisa.gov, trendmicro.com)
Recommended timeline for remediation (practical schedule)
- Within 24–72 hours: Confirm inventory and identify any EIP Builder instances; block external exposure where feasible; communicate with engineering teams about the update plan.
- Within 7 days: Deploy and validate EIP Builder v1.12 in test environments; verify normal engineering workflows and exports still function.
- Within 14 days: Roll out the update to production engineering workstations and update golden images / backups.
- Ongoing: Maintain monitoring for suspicious behavior and ensure vendor advisories are tracked for subsequent fixes or related CVEs.
Final assessment and takeaways
This CVE is a classic XXE information‑disclosure case: it is fixable through a vendor patch and can be defended against with standard XML parser hardening. The good news is that Delta released a targeted update (v1.12) and national bodies have published formal advisories and mitigation guidance to help operators prioritize remediation. The less‑good news is that engineering workstations — the primary attack surface for this bug — are often treated as semi‑trusted, and operational constraints can delay patch rollout. Organizations must therefore combine prompt patching with operational controls (network isolation, file screening, secure parsing practices) to reduce exposure.Key action items to close the window of opportunity:
- Install EIP Builder v1.12 or later as soon as practical. (filecenter.deltaww.com)
- Harden XML parsing in any internal tools that consume EIP Builder files. (cheatsheetseries.owasp.org)
- Apply CISA’s recommended ICS best practices (network segmentation, firewalling, secure remote access) and perform a risk assessment before deploying changes. (cisa.gov)
Conclusion
Delta Electronics’ EIP Builder vulnerability (CVE-2025-57704) has been responsibly disclosed and patched; the prioritized, immediate step for affected operators is to upgrade to v1.12 while applying defensive controls and parser hardening across the engineering toolchain. Combining vendor fixes with policy changes and secure XML practices will greatly reduce the chance that this class of vulnerability can be turned into operational compromise. (filecenter.deltaww.com, cisa.gov)
Source: CISA Delta Electronics EIP Builder | CISA