Skip to main content

Delta DTMSoft CVE-2026-12578

| EUVDEUVD-2026-40266 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-30 Deltaww GHSA-qrm2-gj4m-7475
8.4
CVSS 4.0 · Vendor: Deltaww
Share

Severity by source

Vendor (Deltaww) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

File-parsing deserialization needs a victim to open a malicious local file (AV:L, UI:R) with no attacker auth (PR:N); successful RCE yields full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Deltaww).

CVSS VectorVendor: Deltaww

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 08:59 vuln.today

DescriptionCVE.org

The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code.

AnalysisAI

Arbitrary code execution in Delta Electronics DTMSoft arises from unsafe deserialization of untrusted data during project file parsing (CWE-502), allowing an attacker who supplies a malicious DTMSoft project file to run code in the context of the user who opens it. The flaw is local and requires victim interaction (opening the crafted file) rather than remote network exploitation, and impacts confidentiality, integrity, and availability fully. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious DTMSoft project file
Delivery
Deliver file to engineer (email/USB/share)
Exploit
Victim opens file in DTMSoft
Execution
Untrusted data deserialized
Impact
Arbitrary code executes as user

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open a maliciously crafted DTMSoft project file inside DTMSoft - the vulnerable code path is the project-file parsing/deserialization routine, so a triggering file must be delivered to and opened by a user (consistent with AV:L and UI:A). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, base 8.4) and its CVSS 3.1 equivalent both characterize this as a high-severity but user-interaction-dependent, locally-vectored issue - it is not a remotely auto-exploitable service bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a DTMSoft project file containing a malicious serialized object graph and delivers it to an engineer via email, a shared drive, or a USB stick posing as a legitimate configuration. When the engineer opens the file in DTMSoft, the embedded data is deserialized and arbitrary code executes with the user's privileges on the engineering workstation. …
Remediation Patch available per vendor advisory: apply the fixed DTMSoft release identified in Delta-PCSA-2026-00010 (https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00010_DTMSoft%20Project%20File%20Parsing%20Deserialization%20of%20Untrusted%20Data%20Remote%20Code%20(CVE-2026-12578)_v1.0.pdf); an exact fixed version number was not included in the structured data and must be taken from that PDF. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all DTMSoft installations and affected user populations; issue mandatory security alert prohibiting users from opening DTMSoft project files from external, untrusted, or unexpected sources; enable antivirus scanning for DTMSoft-related files and processes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12578 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy