Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Network-reachable unauthenticated bypass (AV:N/PR:N) but non-trivial preconditions justify AC:H; controller manipulation gives I:H/A:H with no data disclosure (C:N).
Primary rating from Vendor (Deltaww).
CVSS VectorVendor: Deltaww
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
AS228T with Authentication Bypass Vulnerability
AnalysisAI
Authentication bypass in the Delta Electronics AS228T programmable logic controller allows remote attackers to circumvent authentication controls and gain unauthorized access to controller functions over the network, threatening the integrity and availability of the industrial process it governs. The CVSS 3.1 base score is 7.4 (High), driven by high integrity and availability impact (I:H/A:H) with no confidentiality loss, but tempered by high attack complexity (AC:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network-level reachability to the AS228T controller's management or communication interface and does not require valid credentials or user interaction (PR:N/UI:N), reflecting the CWE-288 alternate-path bypass. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and lean toward a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to the AS228T - for example after pivoting from an IT network into a poorly segmented OT segment - sends crafted requests to the controller's management or communication interface using the alternate path that bypasses authentication, then modifies control logic or forces an unsafe operating state. Achieving this reliably requires satisfying the high-complexity preconditions in the CVSS vector, and no public proof-of-concept was identified at the time of analysis. |
| Remediation | Consult Delta advisory PCSA-2026-00012 (https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00012_AS228T%20Authentication%20Bypass%20Vulnerability%20(CVE-2026-12579).pdf) for the fixed firmware version and apply the vendor update to affected AS228T units; an exact patched version was not present in the provided data, so treat the advisory as authoritative before scheduling the upgrade. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all AS228T controllers in production; assess network accessibility and document their criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40910
GHSA-3chc-mhxc-xprf