Skip to main content

Delta DVP12SE CVE-2026-12818

| EUVDEUVD-2026-40257 CRITICAL
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-30 Deltaww GHSA-4mxr-9xw9-9cr4
9.3
CVSS 4.0 · Vendor: Deltaww
Share

Severity by source

Vendor (Deltaww) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable Modbus service (AV:N/AC:L/PR:N/UI:N); CWE-770 resource exhaustion yields availability-only impact, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Deltaww).

CVSS VectorVendor: Deltaww

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 07:31 vuln.today

DescriptionCVE.org

Delta Electronics DVP12SE PLCs are susceptible to a resource allocation vulnerability without limits or throttling (CWE-770) within their Modbus TCP service.

AnalysisAI

Resource exhaustion in Delta Electronics DVP12SE programmable logic controllers lets remote attackers crash or hang the device by overwhelming its Modbus TCP service, which lacks connection/resource throttling (CWE-770). Any host able to reach the PLC's Modbus TCP port can degrade or deny control of the affected industrial process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach PLC on Modbus TCP/502
Delivery
Open or flood Modbus connections
Exploit
Exhaust unthrottled device resources
Execution
Modbus service stalls or crashes
Impact
Loss of process control/availability

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the DVP12SE's Modbus TCP service (typically TCP port 502) and that the Modbus TCP interface is enabled, which is its standard operating mode; no authentication, credentials, or user interaction are needed (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) correctly reflects an unauthenticated, low-complexity, network-reachable attack, but its impact metrics (VC:H/VI:H/VA:H) conflict with the underlying weakness: CWE-770 plus the 'Denial Of Service' tag point to an availability-only impact, not high confidentiality and integrity loss - verify the impact scope with the vendor advisory, as the 9.3 rating appears inflated for a resource-exhaustion DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can route to the PLC's Modbus TCP port opens or floods connections/requests faster than the device can reclaim resources, exhausting its memory or socket pool until the Modbus service stalls or the controller becomes unresponsive. Because the vector is network-based, unauthenticated, and low-complexity, this can be triggered from a compromised engineering workstation or any device with line-of-sight to the control network, halting the monitored process. …
Remediation Apply the firmware update referenced in Delta advisory Delta-PCSA-2026-00011 (https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00011_DVP12SE%20Multiple%20Vulnerabilities%20(CVE-2026-12818,%20CVE-2026-12819)_v1.0.pdf); the input does not contain an exact fixed version number, so confirm the patched firmware build directly from that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all DVP12SE devices and map network connectivity, particularly identifying which devices have Modbus TCP port 502 accessible from untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy