CISA has published an advisory detailing two critical vulnerabilities affecting all versions of the Delta Electronics DVP12SE programmable logic controller (PLC). Both flaws reside in the device’s Modbus TCP service and carry CVSS v3.1 scores of 9.8, meaning a network-adjacent or internet-reachable attacker requires no credentials, privileges, or user interaction to exploit them.
Unauthenticated Access to Control Functions (CVE-2026-12819)
The first vulnerability (CWE-306, Missing Authentication for Critical Function) stems from the DVP12SE exposing its Modbus TCP service without any authentication or access control. Any host that can reach the device over the network may read or write coils, holding registers, relay states, and process control parameters freely. This means an attacker could remotely alter operational values, overwrite control logic, or otherwise interfere with industrial processes without needing to present credentials or receive operator approval.
Resource Exhaustion via Modbus Flooding (CVE-2026-12818)
The second vulnerability (CWE-770, Allocation of Resources Without Limits or Throttling) exposes the same Modbus TCP port to resource exhaustion attacks. A remote attacker can flood TCP port 502 with a sustained stream of raw or malformed packets, potentially denying service to legitimate operators and disrupting industrial control operations.
Affected Products and Deployment Context
All firmware versions of the DVP12SE PLC are confirmed affected. The device is deployed worldwide across critical manufacturing sectors. Delta Electronics, headquartered in Taiwan, is aware of both issues and is working on a fix, though no patched firmware is currently available.
Recommended Mitigations
Until a patch is released, Delta Electronics and CISA recommend the following compensating controls:
- Enable IP Filtering: Use the PLC’s built-in IP Filter feature to restrict Modbus TCP access to known, trusted hosts such as designated HMI panels or SCADA servers.
- Enable PLC Password Protection: Activate password protection within the programming software to harden access to the device’s control logic and configuration parameters.
- Network Isolation: Place the PLC within a dedicated OT control network protected by a firewall, and never expose it directly to the internet or corporate office networks.
- Secure Remote Access: If remote access is required, enforce use of a VPN and ensure the VPN software is kept up to date.
The vulnerabilities were reported to CISA by researcher Adm Bin Harbi (0xnoag) of Corvo Security. Organizations operating DVP12SE devices should treat this as high-priority given the critical CVSS scores and the complete absence of authentication on the affected service.
