Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
File-parsing deserialization needs a victim to open a malicious local file (AV:L, UI:R) with no attacker auth (PR:N); successful RCE yields full C/I/A impact.
Primary rating from Vendor (Deltaww).
CVSS VectorVendor: Deltaww
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code.
AnalysisAI
Arbitrary code execution in Delta Electronics DTMSoft arises from unsafe deserialization of untrusted data during project file parsing (CWE-502), allowing an attacker who supplies a malicious DTMSoft project file to run code in the context of the user who opens it. The flaw is local and requires victim interaction (opening the crafted file) rather than remote network exploitation, and impacts confidentiality, integrity, and availability fully. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open a maliciously crafted DTMSoft project file inside DTMSoft - the vulnerable code path is the project-file parsing/deserialization routine, so a triggering file must be delivered to and opened by a user (consistent with AV:L and UI:A). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, base 8.4) and its CVSS 3.1 equivalent both characterize this as a high-severity but user-interaction-dependent, locally-vectored issue - it is not a remotely auto-exploitable service bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a DTMSoft project file containing a malicious serialized object graph and delivers it to an engineer via email, a shared drive, or a USB stick posing as a legitimate configuration. When the engineer opens the file in DTMSoft, the embedded data is deserialized and arbitrary code executes with the user's privileges on the engineering workstation. … |
| Remediation | Patch available per vendor advisory: apply the fixed DTMSoft release identified in Delta-PCSA-2026-00010 (https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00010_DTMSoft%20Project%20File%20Parsing%20Deserialization%20of%20Untrusted%20Data%20Remote%20Code%20(CVE-2026-12578)_v1.0.pdf); an exact fixed version number was not included in the structured data and must be taken from that PDF. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all DTMSoft installations and affected user populations; issue mandatory security alert prohibiting users from opening DTMSoft project files from external, untrusted, or unexpected sources; enable antivirus scanning for DTMSoft-related files and processes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40266
GHSA-qrm2-gj4m-7475