CVE-2025-58317 Overview
CVE-2025-58317 is a stack-based buffer overflow vulnerability in Delta Electronics CNCSoft-G2, a human-machine interface (HMI) software used to configure and operate computer numerical control (CNC) machines. The flaw stems from missing validation of user-supplied files during file parsing. When an operator opens a crafted project file, an attacker can corrupt the stack and execute arbitrary code in the context of the current process. The issue is tracked under CWE-121: Stack-based Buffer Overflow.
Critical Impact
Successful exploitation gives an attacker code execution on an engineering workstation that interacts with CNC equipment, threatening confidentiality, integrity, and availability of industrial control operations.
Affected Products
- Delta Electronics CNCSoft-G2
- Engineering workstations running CNCSoft-G2 used to configure Delta CNC controllers
- Operational technology (OT) environments where CNCSoft-G2 project files are exchanged
Discovery Timeline
- 2025-09-24 - CVE-2025-58317 published to NVD
- 2025-09-25 - Last updated in NVD database
Technical Details for CVE-2025-58317
Vulnerability Analysis
CNCSoft-G2 parses proprietary project files supplied by the user. The parser fails to validate the length of attacker-controlled fields before copying them into a fixed-size stack buffer. Writing past the buffer boundary corrupts adjacent stack data, including the saved return address and structured exception handler records.
Exploitation requires user interaction. The victim must open a malicious file delivered through email, removable media, or a shared engineering project repository. Because CNCSoft-G2 typically runs with the privileges of the logged-in engineer, code executes with those privileges and can pivot to connected CNC controllers or adjacent OT systems.
The attack vector is local, but the file-based delivery mechanism aligns with common intrusion patterns in industrial environments where project files move between vendors, integrators, and plant floors.
Root Cause
The root cause is improper input validation during file parsing, classified as CWE-121: Stack-based Buffer Overflow. The application copies file-derived data into a stack buffer without bounds checking, allowing controlled overwrite of return addresses or exception handlers.
Attack Vector
An attacker crafts a malicious CNCSoft-G2 project file containing oversized or malformed structures. The file is delivered to an engineer through social engineering, supply-chain compromise of project repositories, or a USB drop. Opening the file in CNCSoft-G2 triggers the overflow and redirects execution to attacker-controlled shellcode. Refer to the Delta Electronics Security Advisory (Delta-PCSA-2025-00017) for vendor technical details.
No public proof-of-concept exploit is available at the time of publication, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-58317
Indicators of Compromise
- Unexpected child processes spawned by CNCSoft-G2.exe such as cmd.exe, powershell.exe, or rundll32.exe
- CNCSoft-G2 process crashes or Windows Error Reporting events referencing access violations during file open operations
- CNCSoft-G2 project files originating from untrusted email attachments, external USB media, or unverified network shares
- Outbound network connections initiated by the CNCSoft-G2 process to non-Delta infrastructure
Detection Strategies
- Monitor process lineage on engineering workstations for CNCSoft-G2 spawning interpreters, scripting hosts, or LOLBins
- Inspect crash telemetry for stack corruption signatures in the CNCSoft-G2 parser modules
- Apply file-type and source policies that flag CNCSoft-G2 project files arriving from outside approved engineering channels
Monitoring Recommendations
- Forward endpoint telemetry from engineering workstations to a centralized SIEM for correlation with email and removable-media events
- Baseline normal CNCSoft-G2 behavior, including expected child processes and network destinations, and alert on deviations
- Track software inventory to identify all hosts running vulnerable CNCSoft-G2 versions until patching is complete
How to Mitigate CVE-2025-58317
Immediate Actions Required
- Update CNCSoft-G2 to the fixed version identified in the Delta Electronics Security Advisory
- Restrict CNCSoft-G2 installations to dedicated engineering workstations and remove it from systems that do not require it
- Train engineers and integrators to open only project files received through verified channels
- Enforce least privilege so CNCSoft-G2 does not run with administrative rights
Patch Information
Delta Electronics has published advisory Delta-PCSA-2025-00017 describing the stack-based buffer overflow and providing remediation guidance. Apply the vendor-supplied fixed release to all hosts running CNCSoft-G2 as the primary remediation.
Workarounds
- Block inbound CNCSoft-G2 project files at email and web gateways until patching is verified
- Disable auto-open and preview features for project files on engineering workstations
- Segment engineering workstations from corporate networks and the public internet using a demilitarized zone aligned with IEC 62443
- Use application allowlisting to prevent unauthorized child processes from launching under CNCSoft-G2
# Example AppLocker rule snippet to block unexpected child processes under CNCSoft-G2
# (adapt paths and publisher data to your environment before deployment)
New-AppLockerPolicy -RuleType Path -User Everyone `
-Path "%PROGRAMFILES%\Delta Industrial Automation\CNCSoft-G2\*" `
-Action Deny -RuleNamePrefix "Block-CNCSoftG2-Children"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
