Delta Electronics CNCSoft-G2, an HMI software, has been identified with several significant vulnerabilities that pose serious security risks. These include stack-based buffer overflows, out-of-bounds reads and writes, and heap-based buffer overflows. These issues are associated with CVE-2024-39880 through CVE-2024-39883 and are due to inadequate validation of user-supplied data.
The vulnerabilities could potentially allow attackers to execute remote code if exploited. With a CVSS v4 score of 8.4, the severity of these issues is high, highlighting the need for immediate action to mitigate risks. Delta Electronics has recommended updating to CNCSoft-G2 version 2.1.0.10 or later to address these security flaws.
In addition to the update recommendation, CISA advises implementing additional defensive measures to reduce exposure. These measures include minimizing network access to control systems, using firewalls, and employing secure remote access methods such as Virtual Private Networks (VPNs). Organizations should also conduct thorough impact analyses and risk assessments before applying these defensive strategies.
CISA’s guidance emphasizes the importance of proactive cybersecurity practices. While there are no known public exploits targeting these vulnerabilities at this time, the risks associated with them underline the necessity of adopting recommended security strategies and staying informed about best practices for protecting industrial control systems.