Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Delta Electronics CNCSoft lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.
AnalysisAI
Buffer overflow vulnerability (CWE-787) in Delta Electronics CNCSoft that allows local authenticated users to execute arbitrary code by opening a specially crafted malicious file. The vulnerability requires user interaction (file opening) but results in complete compromise of the affected process with high impact to confidentiality, integrity, and availability. No KEV status, EPSS score, or confirmed active exploitation data is available in the provided intelligence.
Technical ContextAI
The vulnerability stems from improper input validation in Delta Electronics CNCSoft's file parsing mechanism. CWE-787 (Out-of-bounds Write) indicates the application fails to properly validate the size or boundaries of user-supplied file content before writing to memory buffers. This is a classic buffer overflow condition where a maliciously crafted file with oversized data or malformed headers can cause the parser to write beyond allocated buffer boundaries. The affected product is Delta Electronics CNCSoft, a supervisory control and data acquisition (SCADA)/industrial control software suite. Without specific CPE data provided, the vulnerability likely affects CNCSoft across multiple versions, potentially CPE entries matching 'delta:cncsoft' or similar industrial software designations. The root cause is insufficient bounds checking during file deserialization or parsing operations.
CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has multiple stack-based buffer overflow vulnerabili
CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has two out-of-bounds read vulnerabilities could cau
CNCSoft: All versions prior to 1.01.32 does not properly sanitize input while processing a specific project file, allowi
Delta Electronics CNCSoft Versions 1.01.30 and prior are vulnerable to a stack-based buffer overflow, which may allow an
Local code execution vulnerability in Delta Electronics CNCSoft caused by insufficient validation of user-supplied files
Local arbitrary code execution vulnerability in Delta Electronics CNCSoft caused by insufficient validation of user-supp
Local privilege escalation vulnerability in Delta Electronics CNCSoft caused by insufficient validation of user-supplied
Delta Electronics CNCSoft (All versions prior to 1.01.32) does not properly sanitize input while processing a specific p
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16848