Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Delta Electronics CNCSoft lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.
AnalysisAI
Local arbitrary code execution vulnerability in Delta Electronics CNCSoft caused by insufficient validation of user-supplied files. An attacker with local access can craft a malicious file that, when opened by a user, executes arbitrary code with the privileges of the CNCSoft process. With a CVSS score of 7.3 and CWE-787 (Out-of-bounds Write) classification, this represents a significant local privilege escalation risk, though exploitation requires user interaction and local access.
Technical ContextAI
CVE-2025-47725 stems from CWE-787 (Out-of-bounds Write), a memory safety vulnerability where CNCSoft fails to properly validate the structure and boundaries of user-supplied file inputs. Delta Electronics CNCSoft is industrial automation software used for CNC machine control and programming. The vulnerability likely exists in the file parsing routines that handle project files, CAM files, or other CNCSoft-native formats without adequate bounds checking or input sanitization. When a malformed file is processed, an attacker can write data beyond allocated buffer boundaries, corrupting memory and achieving code execution within the application context. The affected software operates on Windows systems and is commonly deployed in manufacturing environments where file sharing and batch processing are standard practices.
RemediationAI
- Apply vendor-provided security patch from Delta Electronics immediately upon release. 2) Until patching is possible, implement compensating controls: restrict CNCSoft file access to trusted sources only; disable auto-opening of CNCSoft project files from email and network shares; operate CNCSoft with least-privilege user accounts; implement file integrity monitoring on CNCSoft project directories; restrict user ability to open files from network locations. 3) Monitor vendor advisory page (Delta Electronics Security Center) for patch availability and release notes. 4) If patch is available, deploy to all affected systems according to change management procedures, testing in non-production environment first given the industrial control context.
CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has multiple stack-based buffer overflow vulnerabili
CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has two out-of-bounds read vulnerabilities could cau
CNCSoft: All versions prior to 1.01.32 does not properly sanitize input while processing a specific project file, allowi
Delta Electronics CNCSoft Versions 1.01.30 and prior are vulnerable to a stack-based buffer overflow, which may allow an
Local code execution vulnerability in Delta Electronics CNCSoft caused by insufficient validation of user-supplied files
Buffer overflow vulnerability (CWE-787) in Delta Electronics CNCSoft that allows local authenticated users to execute ar
Local privilege escalation vulnerability in Delta Electronics CNCSoft caused by insufficient validation of user-supplied
Delta Electronics CNCSoft (All versions prior to 1.01.32) does not properly sanitize input while processing a specific p
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16849