Skip to main content

Delta AS228T CVE-2026-12579

| EUVDEUVD-2026-40910 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-07-01 Deltaww GHSA-3chc-mhxc-xprf
7.4
CVSS 3.1 · Vendor: Deltaww
Share

Severity by source

Vendor (Deltaww) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
7.4 HIGH

Network-reachable unauthenticated bypass (AV:N/PR:N) but non-trivial preconditions justify AC:H; controller manipulation gives I:H/A:H with no data disclosure (C:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Deltaww).

CVSS VectorVendor: Deltaww

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 07:15 vuln.today

DescriptionCVE.org

AS228T with Authentication Bypass Vulnerability

AnalysisAI

Authentication bypass in the Delta Electronics AS228T programmable logic controller allows remote attackers to circumvent authentication controls and gain unauthorized access to controller functions over the network, threatening the integrity and availability of the industrial process it governs. The CVSS 3.1 base score is 7.4 (High), driven by high integrity and availability impact (I:H/A:H) with no confidentiality loss, but tempered by high attack complexity (AC:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach PLC over OT network
Delivery
Send crafted request via alternate path
Exploit
Bypass authentication (CWE-288)
Execution
Access protected controller functions
Impact
Alter logic or disrupt process

Vulnerability AssessmentAI

Exploitation Exploitation requires network-level reachability to the AS228T controller's management or communication interface and does not require valid credentials or user interaction (PR:N/UI:N), reflecting the CWE-288 alternate-path bypass. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and lean toward a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to the AS228T - for example after pivoting from an IT network into a poorly segmented OT segment - sends crafted requests to the controller's management or communication interface using the alternate path that bypasses authentication, then modifies control logic or forces an unsafe operating state. Achieving this reliably requires satisfying the high-complexity preconditions in the CVSS vector, and no public proof-of-concept was identified at the time of analysis.
Remediation Consult Delta advisory PCSA-2026-00012 (https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00012_AS228T%20Authentication%20Bypass%20Vulnerability%20(CVE-2026-12579).pdf) for the fixed firmware version and apply the vendor update to affected AS228T units; an exact patched version was not present in the provided data, so treat the advisory as authoritative before scheduling the upgrade. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all AS228T controllers in production; assess network accessibility and document their criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy