Delta Electronics CNCSoft-G2: Inadequate User-Supplied Data Validation Key Vulnerability
CVE-2024-47964

7.8HIGH

Key Information:

Vendor: Delta Electronics
Status: Cncsoft-g2
Vendor: CVE Published:; 10 October 2024

Summary

The Delta Electronics CNCSoft-G2 software exhibits a vulnerability due to improper validation of user-supplied data length before copying it to a heap-based buffer with a fixed length. This flaw allows a malicious actor to potentially exploit the vulnerability by enticing users to open a specially crafted web page or file, leading to arbitrary code execution in the context of the current process. This situation poses significant risks, as it can compromise system integrity, allowing attackers to manipulate the operations of CNC machines or download additional malicious payloads.

Affected Version(s)

CNCSoft-G2 2.1.0.10

References

https://www.cisa.gov/news-events/ics-advisories/icsa-24-2...

government-resource

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2024
Vulnerability Reserved
Oct 7, 2024

Credit

Bobby Gould, Fritz Sands, and Natnael Samson working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.