CISA has published an ICS advisory warning that all versions of Delta Electronics DTM Soft are affected by a deserialization of untrusted data vulnerability that could allow an attacker to execute arbitrary code on a targeted system.

Vulnerability Details

The flaw, tracked as CVE-2026-12578, is rooted in improper handling of untrusted data during deserialization (CWE-502). Successful exploitation requires local access and user interaction, specifically a victim opening a crafted or malicious project file. The vulnerability scores 7.8 (HIGH) on the CVSSv3.1 scale and 8.4 (HIGH) under CVSSv4.0, reflecting high impacts to confidentiality, integrity, and availability.

The attack vector is local, meaning the vulnerability cannot be exploited remotely. No known public exploitation has been reported to CISA at this time.

Affected Products

  • Delta Electronics DTM Soft: all versions

Remediation Status

Delta Electronics is aware of the vulnerability and is working on a fix, but no patch is currently available. In the interim, the vendor recommends the following mitigations:

  • Do not open unsolicited project files. Avoid opening or importing project files from untrusted sources, unexpected email attachments, network shares, or USB drives. Always verify file origin before opening.
  • Avoid running as administrator. Launch DTM Soft with standard user privileges rather than using the “Run as Administrator” option. Reduced privilege limits the potential damage if malicious code executes.

Broader ICS Hardening Guidance

CISA reiterates standard ICS defensive practices: isolate control system networks behind firewalls, avoid direct internet exposure for ICS devices, and use VPNs for remote access while keeping those VPNs fully patched. Organizations that observe suspected malicious activity should report findings to CISA.

The vulnerability was reported to CISA by kimiya of TrendAI Zero Day Initiative. Organizations using DTM Soft in critical manufacturing environments should apply the available workarounds immediately and monitor Delta Electronics’ advisory page for patch availability.