Skip to main content

Delta DVP80ES300T EUVDEUVD-2026-40911

| CVE-2026-14193 HIGH
Improper Validation of Array Index (CWE-129)
2026-07-01 Deltaww GHSA-255r-96jc-w7r6
7.5
CVSS 3.1 · Vendor: Deltaww
Share

Severity by source

Vendor (Deltaww) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable, unauthenticated, low-complexity request triggers an out-of-bounds index causing device crash, so AV:N/AC:L/PR:N with availability-only A:H and no C/I impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Deltaww).

CVSS VectorVendor: Deltaww

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 07:15 vuln.today

DescriptionCVE.org

DVP80ES300T with Improper Validation of Array Index Vulnerability

AnalysisAI

Denial-of-service in the Delta Electronics DVP80ES300T programmable logic controller allows remote unauthenticated attackers to crash the device by triggering an improper array-index validation flaw (CWE-129). Per the CVSS vector the impact is limited to availability (A:H) with no confidentiality or integrity loss, so a successful attack halts PLC operation rather than exposing data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach PLC on control network
Delivery
Send crafted protocol request
Exploit
Trigger out-of-bounds array index
Execution
Corrupt firmware memory state
Impact
Crash PLC / halt process

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the DVP80ES300T's communication interface and the ability to send a crafted request carrying an out-of-bounds array index value; per AV:N/AC:L/PR:N/UI:N no authentication, no user interaction, and no special product configuration are called out in the available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) indicates a network-reachable, low-complexity, unauthenticated attack whose sole consequence is loss of availability - a clean DoS profile with no code-execution or data-disclosure claim. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to the PLC - for example after pivoting from an IT network into a poorly segmented control network - sends a crafted protocol request containing a manipulated index value that the firmware uses to access an internal array without bounds checking. The out-of-bounds access faults the firmware and halts the control program, stopping the monitored industrial process until the device is manually recovered. …
Remediation Consult Delta advisory Delta-PCSA-2026-00013 (https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00013_DVP80ES300T%20Improper%20Validation%20of%20Array%20Index%20Vulnerability%20(CVE-2026-14193).pdf) and apply the vendor-provided firmware update; a specific fixed version is not present in the available data and must be taken from that advisory rather than assumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all Delta DVP80ES300T devices in your environment and their criticality to production processes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy