Delta Electronics’ engineering tool EIP Builder contains an XML External Entity (XXE) vulnerability (CVE-2025-57704) that can expose sensitive files when the application parses crafted XML, and vendors and national incident responders now recommend an immediate upgrade to mitigate the risk.
Delta Electronics’ EIP Builder is an engineering configuration tool used in industrial automation workflows, particularly within the critical manufacturing sector. The Cybersecurity and Infrastructure Security Agency (CISA) published an ICS advisory for this issue on September 2, 2025, assigning the advisory code ICSA-25-245-01 and calling out an Improper Restriction of XML External Entity Reference (CWE-611) vulnerability. CISA’s advisory reports a CVSS v4 base score of 6.7 and notes low attack complexity for the condition described. Delta Electronics has published a vendor Product Cybersecurity Advisory (Delta‑PCSA‑2025‑00013) confirming the issue, naming EIP Builder v1.11 and prior as affected and advising users to update to v1.12 or later. The vendor lists the vulnerability severity as Medium and provides an explicit remediation path via the product download center.
CISA’s advisory stresses that even vulnerabilities that are not remotely exploitable can be weaponized via social engineering or as part of multi-stage intrusions. The advisory therefore recommends timely patching and standard ICS hardening practices.
Background
Delta Electronics’ EIP Builder is an engineering configuration tool used in industrial automation workflows, particularly within the critical manufacturing sector. The Cybersecurity and Infrastructure Security Agency (CISA) published an ICS advisory for this issue on September 2, 2025, assigning the advisory code ICSA-25-245-01 and calling out an Improper Restriction of XML External Entity Reference (CWE-611) vulnerability. CISA’s advisory reports a CVSS v4 base score of 6.7 and notes low attack complexity for the condition described. Delta Electronics has published a vendor Product Cybersecurity Advisory (Delta‑PCSA‑2025‑00013) confirming the issue, naming EIP Builder v1.11 and prior as affected and advising users to update to v1.12 or later. The vendor lists the vulnerability severity as Medium and provides an explicit remediation path via the product download center. What the vulnerability is (technical overview)
1. XXE / CWE‑611 in plain terms
An XML External Entity (XXE) vulnerability occurs when an XML parser blindly processes external entity references declared in a document’s DTD or body, allowing the XML consumer to include arbitrary external content during parsing. That content can be local files, remote URLs, or other system resources — which may result in information disclosure, server‑side request forgery (SSRF), or other secondary effects depending on the environment and parser configuration. The EIP Builder issue is described as a file parsing XML external entity processing information disclosure vulnerability.2. Attack vector and exploitability
- The vendor and CISA both indicate the vulnerability is triggered when EIP Builder parses specially crafted XML content (for example, project files or imported configuration items). The public CVE and advisory metadata show the attack vector is local (AV:L), which implies the attacker must get a specially crafted file onto an engineering workstation that runs EIP Builder. (nvd.nist.gov, cisa.gov)
- CISA explicitly reports that the vulnerability is not remotely exploitable in the product’s default deployment model and that, as of publication, there were no known reports of in‑the‑wild exploitation tied to this CVE. Nevertheless, the advisory warns that successful exploitation could disclose sensitive information from the host.
- Public CVSS indicators: the vendor-calculated CVSS v3.1 base score is 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and the CVSS v4 base score is 6.7 (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N). These vectors reinforce the position that a local file or user interaction step is required, but the attack complexity is low. (cisa.gov, nvd.nist.gov)
Who and what is affected
- Affected product: EIP Builder, versions 1.11 and prior. Delta’s advisory and the national vulnerability listings both list v1.11 as the threshold. (filecenter.deltaww.com, nvd.nist.gov)
- Sector impact: CISA categorizes affected deployments as primarily in Critical Manufacturing, but Delta products are deployed worldwide across varied industrial environments. The potential impact is therefore global for organizations that use EIP Builder in their engineering toolchain.
- Practical exposure: Because the flaw is triggered by parsing files, typical exposure paths include email attachments, malicious or tampered project files from contractors or third parties, or malicious USB devices introduced to an engineering workstation.
Why this matters for industrial operators
Industrial engineering workstations are high-value targets. These systems often run with elevated access to OT assets, hold intellectual property (PLC programs, configuration files), and are trusted by downstream controllers. A successful XXE-based disclosure can leak configuration data, credentials or other sensitive artifacts from the engineering host — facilitating follow-on actions such as lateral movement, credential theft, or targeted sabotage.CISA’s advisory stresses that even vulnerabilities that are not remotely exploitable can be weaponized via social engineering or as part of multi-stage intrusions. The advisory therefore recommends timely patching and standard ICS hardening practices.
Vendor response and mitigation status
- Delta Electronics released a product advisory and provided EIP Builder v1.12 to address the issue; the vendor’s bulletin explicitly recommends upgrading to v1.12 or later. Delta marked the fix as available on August 26, 2025.
- National tracking (NVD/CNA entries) show the CVE was entered and associated with Delta’s advisory in late August 2025. Public vulnerability aggregators reflect the vendor's CVSS v3.1 score and description. (nvd.nist.gov, filecenter.deltaww.com, cisa.gov)
- Residual risk and limitations: because the flaw is a local file parsing vulnerability, it can be effectively mitigated by removing the malicious file or preventing the file from reaching engineering hosts — but that depends on procedural controls and user discipline. Attackers routinely combine social engineering and file-based exploits to reach trusted endpoints. Also, while CISA reported no known in‑the‑wild exploitation at publication, that status can change quickly; organizations should not treat the absence of reported exploitation as proof of safety.
- Unverifiable or evolving items: attribution of the researcher(s) and any detailed exploit chaining beyond the public advisory typically come from coordinated disclosure statements. CISA’s advisory credits the researcher alias kimiya, working with Trend Micro’s Zero Day Initiative, but separate technical writeups or exploit code were not released publicly. Treat such vendor/researcher attributions as factual as published, while acknowledging that additional context (exploit techniques, PoC code) can appear later in public repositories or security research writeups. (cisa.gov, filecenter.deltaww.com, cisa.gov)
Source: CISA Delta Electronics EIP Builder | CISA
