Delta Electronics CNCSoft-B software versions 1.0.0.4 and earlier have been identified with a stack-based buffer overflow vulnerability, potentially allowing attackers to execute arbitrary code. Assigned CVE-2024-1941, the severity is rated at 7.8 on the CVSS v3.1 scale, with low attack complexity. Notably, this vulnerability poses risks particularly to critical manufacturing sectors worldwide, given Delta Electronics’ presence globally and its headquarters located in Taiwan.
Mitigation measures recommended by Delta include updating to CNCSoft-B version 1.0.0.4 with an issue date of January 23, 2024, or later. CISA advises users to limit network exposure for control system devices, employing firewalls to isolate them from business networks. Remote access should utilize secure methods like Virtual Private Networks (VPNs), acknowledging their potential vulnerabilities. Organizations are encouraged to conduct impact analysis and risk assessment before implementing defensive measures and to refer to CISA’s ICS webpage for additional cybersecurity strategies and best practices. As of the initial publication date, no known instances of public exploitation targeting this vulnerability have been reported to CISA, and remote exploitation is not feasible.
