ICS / OT Security

CVE-2026-3094: When a File Becomes a Weapon — Inside the Delta Electronics CNCSoft-G2 Vulnerability

CS
CyberSpit
March 2026 20 min read

A specially crafted project file. An engineer who opens it. A CNC machine on a production floor that moves metal. CVE-2026-3094 is a high-severity out-of-bounds write vulnerability in Delta Electronics CNCSoft-G2 — and it turns a routine workflow into an attack vector.

CVE CVE-2026-3094
Published March 4, 2026 | CISA Advisory: March 5, 2026
Advisory ICSA-26-064-01  |  Vendor: Delta-PCSA-2026-00004
Affected Delta Electronics CNCSoft-G2 prior to V2.1.0.39
CVSS v3.1 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE CWE-787 (Out-of-Bounds Write)
Researcher Natnael Samson (@NattiSamson) — TrendAI Zero Day Initiative (ZDI)

What Is Delta Electronics CNCSoft-G2?

Delta Electronics, headquartered in Taiwan, is one of the world's largest providers of industrial automation components and systems. Founded in 1971, the company serves industries ranging from semiconductor fabrication and automotive manufacturing to energy infrastructure and precision engineering. Its products are deployed globally, and its CNCSoft software line has, for decades, been a standard interface tool in environments that rely on CNC machine control.

CNCSoft-G2 is the second-generation iteration of that software — a Windows-based HMI and engineering workstation application used to author, configure, and manage project files for Delta's CNC and automation devices. In practical terms, an engineer uses CNCSoft-G2 to design machine sequences, define operational parameters, and push those configurations down to physical equipment on a production floor. The software reads and writes DPAX files — proprietary project containers that hold the machine configurations, programming instructions, and operational settings that define how a CNC machine behaves.

CISA's advisory classified CNCSoft-G2 under the Critical Manufacturing sector with worldwide deployment. That classification is not bureaucratic boilerplate. It reflects the reality that CNCSoft-G2 runs on workstations that sit at the intersection of digital programming and physical industrial operations — in automotive plants, aerospace facilities, electronics production lines, and precision engineering environments across the United States, Europe, and Asia.

Why This Matters

When software at the intersection of digital programming and physical industrial operations has a memory corruption vulnerability, the consequences of exploitation are not theoretical. A CNC machine that executes an unauthorized instruction does not send an error to a log. It moves metal.

The Vulnerability: A Parsing Flaw in the DOPSoft Component

At its technical core, CVE-2026-3094 is a failure of input validation. According to both the CISA advisory and Delta's own vendor bulletin (Delta-PCSA-2026-00004), CNCSoft-G2 versions prior to V2.1.0.39 are vulnerable to an out-of-bounds write while parsing DPAX files within the DOPSoft component.

The DOPSoft component is the file-handling and project management engine embedded within CNCSoft-G2. DPAX files are not simple flat data structures — they contain layered project data, device mappings, communication parameters, and machine programming logic. When CNCSoft-G2 opens a DPAX file, the DOPSoft parser reads through this data sequentially, allocating memory buffers and populating them with file contents.

The vulnerability arises because the parser does not sufficiently validate the size of certain data structures within the file before writing them to memory. An attacker who crafts a DPAX file with malformed or oversized data can cause the parser to write beyond the boundary of an allocated buffer — a classic out-of-bounds write condition. When that write lands in adjacent memory, it corrupts data that the process is actively using. With careful construction, an attacker can use that corruption to redirect program execution to code of their choosing.

CISA advisory ICSA-26-064-01: "Successful exploitation of this vulnerability could result in an attacker achieving remote code execution on the device." (CISA, March 5, 2026)

The CVSS v3.1 vector string — AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H — tells a precise story:

  • AV:L (Attack Vector: Local) — The attack is not remotely executable over a network in isolation. The malicious file must be present on or delivered to the target system.
  • AC:L (Attack Complexity: Low) — Once a malicious file is in play, exploitation does not require special conditions or timing. It is straightforward.
  • PR:N (Privileges Required: None) — The attacker does not need any existing account or access rights on the system.
  • UI:R (User Interaction: Required) — The target must open the crafted file.
  • C:H / I:H / A:H — Full compromise of confidentiality, integrity, and availability if exploitation succeeds.

The score of 7.8 on the CVSS v3.1 scale places this firmly in the High severity category. The attack complexity is low once delivery is achieved, meaning that after the file reaches an engineer's workstation, the barrier to exploitation is minimal.

How the Attack Would Work in Practice

The "User Interaction Required" flag in the CVSS vector leads some readers to mentally downgrade the risk. That would be a mistake. In industrial environments, user interaction with project files is not an anomalous event — it is the entire workflow.

Engineers routinely receive DPAX files from colleagues, contractors, equipment vendors, and third-party integrators. Files are shared over email, USB drives, internal file servers, and vendor portals. A DPAX file arriving from an apparently legitimate source — a vendor providing updated machine parameters, a contractor submitting a modified project, a colleague sharing a configuration — would not raise suspicion. An engineer in that environment has no reason to treat a project file as a potential weapon unless they have been specifically trained to do so.

The attack chain proceeds as follows: an attacker crafts a DPAX file containing malformed data structures in the sections parsed by DOPSoft. When the engineer opens the file, CNCSoft-G2's parser reads the malformed sections, attempts to write the oversized data into a fixed-size buffer, and writes beyond the buffer boundary. The overwrite corrupts adjacent memory. Depending on what memory is overwritten and how the payload is structured, the attacker gains the ability to redirect execution — running their own code under the same permissions as the CNCSoft-G2 process.

On a typical engineering workstation, CNCSoft-G2 runs with elevated privileges — often administrative — because it needs to interact with hardware interfaces, device drivers, and communication stacks for the physical machines it manages. That means a successful exploit does not merely compromise the CNCSoft-G2 application. It compromises the workstation, with the access level required to pivot further into the OT network, manipulate machine configurations, or install persistent malware on a host that may not be routinely scanned by enterprise security tools.

Network Segmentation Is Not Sufficient

The attack does not require network access to the target machine before delivery. It only requires getting a file to an engineer who will open it. A workstation unreachable from the internet can still receive a malicious DPAX via email, USB, or a shared corporate drive.

The Researcher: Natnael Samson and the ZDI Disclosure

The vulnerability was reported by Natnael Samson, known online as @NattiSamson, working through the TrendAI Zero Day Initiative (ZDI). Samson's name is not new to ICS security disclosures. A review of the CISA advisory archive reveals that Samson has been reporting vulnerabilities in Delta Electronics' CNCSoft product line since at least 2018 — a track record spanning nearly a decade and covering multiple generations of the software.

Samson reported vulnerabilities in Delta's CNCSoft ScreenEditor to CISA in 2018, again in 2020, and again in 2021. When Delta introduced CNCSoft-B and later CNCSoft-G2, Samson continued finding and responsibly disclosing issues — including CVE-2023-4685 and CVE-2023-25177 in CNCSoft-B DOPSoft, CVE-2024-1941 in CNCSoft-B, and multiple CNCSoft-G2 advisories throughout 2024 and 2025. Each of those disclosures followed the same responsible disclosure model: research conducted through the TrendAI ZDI, coordinated notification to the vendor, and publication coordinated with CISA once a patch was available or a disclosure deadline was reached.

The TrendAI Zero Day Initiative (ZDI) — Trend Micro's vendor-agnostic vulnerability disclosure program, operating under the TrendAI brand — represents the world's largest bug bounty program of its kind. Operating since July 2005, the ZDI pays independent researchers for responsibly disclosing vulnerabilities and holds technical details from the public until the affected vendor mitigates the issue. Samson's sustained focus on Delta Electronics' CNCSoft line represents an unusually deep and persistent engagement with a single software family. That depth matters: the findings across 2024, 2025, and now 2026 are not isolated bugs. They describe a pattern of insufficient input validation across multiple generations of the same product, in the same functional component, affecting the same file-parsing operations.

CVE-2026-3094 continues that pattern. According to the ZDI advisory (ZDI-26-151), the vulnerability was reported to Delta Electronics on December 11, 2025 — nearly three months before public disclosure. The CVE was reserved on February 24, 2026, published on March 4, 2026, and the CISA advisory followed on March 5, 2026. The ZDI's own coordinated public release came on March 6, 2026 — a tightly coordinated disclosure that gave Delta time to produce and release a patch before the vulnerability became public knowledge.

That three-month vendor notification window is itself a data point. It indicates a complex, layered file-parsing codebase that required non-trivial remediation time — not a simple one-line fix. It also reflects the ZDI's stated disclosure policy: technical details are withheld from the public until the vendor mitigates the issue, with public disclosure used as a backstop if the vendor fails to act within a reasonable timeframe. In this case, the vendor delivered.

A Pattern, Not an Incident: The CNCSoft-G2 Vulnerability History

CVE-2026-3094 does not exist in isolation. It is the latest in a series of high-severity memory corruption vulnerabilities disclosed in CNCSoft-G2 over the past two years, all sharing the same fundamental characteristic: the software does not adequately validate user-supplied data before writing it to memory.

According to CISA advisory records, the pattern for CNCSoft-G2 includes:

  • CVE-2024-39880, CVE-2024-39881, CVE-2024-39882, CVE-2024-39883 — Four vulnerabilities disclosed July 2024, affecting version 2.0.0.5: CVE-2024-39880 (stack-based buffer overflow), CVE-2024-39881 (memory corruption), CVE-2024-39882 (out-of-bounds read), CVE-2024-39883 (heap-based buffer overflow). CVSS v3.1 scores of 7.8 each. CISA advisory ICSA-24-191-01.
  • CVE-2024-4192 — A stack-based buffer overflow in DOPSoft affecting CNCSoft-G2 versions 2.0.0.5 (with DOPSoft v5.0.0.93) and prior, disclosed April/May 2024. CVSS v3.1 score of 7.8; CVSS v4 score of 8.5. CISA advisory ICSA-24-121-01.
  • CVE-2024-12858 — A stack-based buffer overflow affecting versions 2.1.0.16 and prior, disclosed late 2024. CVSS v3.1 score of 7.8. CISA advisory ICSA-24-191-01 (Update A).
  • CVE-2025-22880 — A heap-based buffer overflow affecting versions 2.1.0.10 and prior, added February 2025. CVSS v3.1 score of 7.8; CVSS v4 score of 8.4. Reported by Bobby Gould, Fritz Sands, and Natnael Samson working with ZDI.
  • CVE-2025-58319 — A stack-based buffer overflow in DOPSoft affecting versions 2.1.0.27 and prior, disclosed 2025. CVSS v3.1 score of 7.8; CVSS v4 score of 8.5. CISA advisory ICSA-24-121-01 (Update A).
  • CVE-2026-3094 — The current advisory, affecting all versions prior to V2.1.0.39. CVSS v3.1 score of 7.8. CISA advisory ICSA-26-064-01.

Cybersecurity analysis from SOCRadar, reviewing the full ICS advisory landscape for 2024–2025, identified CNCSoft-G2 as one of the five most frequently cited products in CISA ICS advisories during that period, with five separate advisories. The analysis also found that out-of-bounds write vulnerabilities (CWE-787) appeared 57 times across all ICS advisories in the period — tying with out-of-bounds read as the second most common weakness type, behind only improper input validation.

What this history reveals is not a single lapse in software quality. It is a structural pattern: the DOPSoft component's file-parsing routines have repeatedly been found to handle user-supplied data without sufficient boundary checking. Each patch closes a specific code path. Each subsequent disclosure finds another one.

One additional signal worth noting: in a parallel advisory (ICSA-25-175-02), CISA disclosed that Delta's legacy CNCSoft A-series — the predecessor product line — will not be patched for its own set of file-parsing CVEs (CVE-2025-47724 through CVE-2025-47727). Delta's stated position is that the A-series products are discontinued, and the company has confirmed that CNCSoft will be removed from the Delta Download Center entirely. Organizations still running legacy CNCSoft versions are advised to migrate to newer products. That advisory, too, was disclosed by Natnael Samson through ZDI. The implication is stark: the same researcher, the same class of vulnerability, spanning a product family now covering multiple generations — with the oldest generation receiving a permanent no-patch verdict.

There is also an ICS advisory accuracy problem worth flagging here. Dragos's 2026 OT/ICS Cybersecurity Report, reviewing the full vulnerability advisory landscape for 2025, found that 25% of ICS-CERT and NVD entries contained incorrect CVSS scores, and 26% of advisories lacked any patch or vendor-provided mitigation. That does not apply to this specific advisory — the CVE-2026-3094 CVSS vector is consistent across sources and a patch is available. But it is the broader context in which security teams are expected to triage and prioritize. When roughly one in four CVSS scores in ICS advisories is miscalculated, automated prioritization tools that rely on those scores will routinely misrank risk. This vulnerability's 7.8 score is accurate and the severity is real. That is not always a safe assumption elsewhere in the ICS advisory ecosystem.

The OT Patching Problem — and Who Bears Responsibility

Delta Electronics has responded to CVE-2026-3094 with a patched release, and the disclosure was handled responsibly. That is the good news. The more complicated reality is what happens next.

CISA's advisory recommends that organizations update to CNCSoft-G2 version 2.1.0.39 immediately. For organizations with standard IT infrastructure, "apply the patch immediately" is a straightforward directive. For organizations running industrial control systems, it is rarely that simple.

Engineering workstations running CNCSoft-G2 are often tightly coupled to production operations. Patching a production engineering workstation typically requires scheduling a maintenance window, validating that the updated software does not disrupt existing machine configurations or programming workflows, testing against the specific hardware and device communication stacks in use, and coordinating with production schedulers to ensure the workstation is offline during the window. In high-throughput manufacturing environments — automotive assembly lines, semiconductor fabrication facilities, aerospace component production — those windows are narrow, scheduled far in advance, and resisted by operations teams who view any change to a working system as a risk.

This creates the patching gap that makes vulnerabilities like CVE-2026-3094 dangerous long after the disclosure date. An organization that received the advisory on March 5, 2026, may not complete patching until weeks or months later. During that interval, the vulnerability is public, the affected software version is known, and the only barrier to exploitation is that a malicious DPAX file has not yet reached an engineer who will open it.

The PoC Window Is Not Hypothetical

Dragos's 2026 OT/ICS report documents that AZURITE rapidly incorporates publicly available proof-of-concept code into active operations, targeting the interval between PoC release and organizational patch deployment. CVE-2026-3094 is now public. Any organization still running a pre-V2.1.0.39 version of CNCSoft-G2 is operating inside that window.

The CVSS vector's AV:L (local attack vector) specifies that the vulnerability is not remotely exploitable over a network in isolation — but network-level controls alone are not sufficient mitigation. This matters because many OT security programs rely heavily on network segmentation as a primary control. A workstation that cannot be reached from the internet might still receive files via email, removable media, or a shared drive accessible from a corporate IT network. The file delivery pathway exists even when the network perimeter appears intact.

The Last-Mile Problem: Does the Engineer Know?

There is a question the patching conversation consistently sidesteps: who bears responsibility? Delta produced the vulnerable code. Third-party integrators deploy and configure CNCSoft-G2. End-user organizations operate it, often years after initial deployment. When a vulnerability is disclosed and a patch is available but operationally difficult to apply, the risk sits at the end-user — the organization least equipped to assess the technical severity and most constrained by production schedules. The coordinated disclosure model works well for getting patches made. It does not, on its own, resolve the accountability gap between where the vulnerability was created and where the exposure is carried.

But there is an even more granular gap that rarely gets named: does the engineer who opens DPAX files every day actually know CVE-2026-3094 exists? CISA advisories are published on a government website. They are picked up by threat intelligence platforms, security newsletters, and vendor notification systems — for organizations that subscribe to those feeds, have a security team monitoring them, and have a process for routing ICS advisories to the right people. Many organizations running CNCSoft-G2 do not have that infrastructure. The engineer in the automotive plant or the semiconductor fabrication facility who will be the actual target of a weaponized DPAX file may have no mechanism by which the existence of this advisory reaches them. The security information chain ends somewhere before the person who needs to know.

This is not a criticism of CISA's disclosure process — it is an observation about the gap between disclosure and awareness at the operational level. Organizations that run industrial software need to build a process by which CISA ICS advisories are actively monitored, triaged, and communicated to the operational staff they affect. That process does not exist by default. It must be built deliberately. For many organizations, the answer is to subscribe to CISA's ICS advisory email list and assign someone to review it — a low-effort, high-value control that narrows the awareness gap at no cost.

Mitigation: What Organizations Should Do Now

For organizations currently running CNCSoft-G2 versions prior to V2.1.0.39, the following actions reflect both CISA's guidance and broader OT security best practices. Deeper solutions are included here beyond what standard advisories typically propose — because the patching gap is real, and organizations need a response strategy for the interval between disclosure and successful patch deployment.

Priority Action

Patch to V2.1.0.39 immediately. The updated version resolves CVE-2026-3094. The patched release is available from Delta's download center at: downloadcenter.deltaww.com. Test the update in a non-production environment before deploying to active engineering workstations.

  1. Validate against all prior CVEs, not just the current one. Given the history of multiple CVEs with different affected version thresholds, confirm that the installed version addresses every prior advisory. The relevant CISA advisories — ICSA-24-121-01, ICSA-24-191-01, and ICSA-26-064-01 — each specify different minimum version requirements. If your installed version is between two affected thresholds, you may be patched against one CVE but still exposed to another.
  2. If you have legacy CNCSoft A-series installations, escalate immediately. CISA advisory ICSA-25-175-02 confirms that Delta will not patch file-parsing vulnerabilities in the A-series product line. Those systems are permanently vulnerable by vendor decision. Migration to a current, supported product is the only path to resolution. Document and formally accept or remediate that risk — it cannot be patched away.
  3. Control the DPAX file intake surface with verification, not just awareness. Restricting DPAX file sources to verified internal channels is necessary but insufficient if files arrive without integrity verification. Implement cryptographic hash verification (SHA-256 minimum) for all project files received from external parties, including vendors and contractors. Establish a known-good baseline hash for every DPAX file in use, stored separately from the workstation, and verify against it before opening any file returned from external handling. This converts file provenance from a trust-based to a verification-based process.
  4. Implement CDR (Content Disarm and Reconstruction) for ICS file transfers. Content Disarm and Reconstruction tools — available from vendors like OPSWAT and Forcepoint — process files by extracting known-safe content elements and rebuilding the file without potentially malicious structures. CDR is a more aggressive control than antivirus for file-based threats: rather than attempting to detect known-bad patterns, it strips anything that isn't explicitly known-safe. Applying CDR to DPAX files entering engineering environments from external sources or corporate IT networks reduces the attack surface before the file reaches the parser. OPSWAT in particular has ICS-specific tooling designed for this use case.
  5. Treat network segmentation as necessary but not sufficient. CISA recommends minimizing network exposure for control system devices and placing them behind firewalls isolated from business networks. These controls reduce the attack surface but do not eliminate it, given the file-delivery attack vector. Segment the engineering workstation from the corporate IT network at the network level, but treat files crossing that boundary with the same inspection rigor you apply to email attachments entering your corporate environment.
  6. Implement application allowlisting on engineering workstations. Restricting which executables can run on workstations that host CNCSoft-G2 limits the attacker's ability to execute secondary payloads after initial exploitation. Microsoft AppLocker and similar tools can be configured to permit only signed, approved executables. On workstations that do not require frequent software changes, this control is highly effective at containing post-exploitation activity.
  7. Monitor for anomalous behavior from engineering workstations — with OT-aware baselines. Because CNCSoft-G2 workstations interact with physical machines, anomalous process spawning, unexpected network connections, or modifications to device configuration files are indicators worth detecting. Generic IT endpoint detection tools often lack ICS protocol awareness and will generate excessive false positives in OT environments. OT-aware monitoring solutions from vendors such as Dragos, Claroty, and Nozomi Networks can baseline normal engineering workstation behavior and alert on deviations, including unexpected child processes spawned from the CNCSoft-G2 executable — which is exactly what a successful exploit would produce.
  8. Establish a formal file verification chain for the supply chain and integrator relationships. Many DPAX files in production environments originated from equipment vendors, system integrators, or OEM machine builders years ago. Those parties may have had different security postures than your current standards. Audit the provenance of every project file in use. Where original sources cannot be verified, treat those files as unverified and apply additional scrutiny before they are opened on a patched or unpatched system. Supply chain compromise via legitimate file delivery channels is a documented real-world ICS attack vector, not a theoretical one.
  9. Subscribe to CISA ICS advisory notifications and build a routing process for them. CISA distributes ICS advisories by email at no cost — subscribe at cisa.gov/ics. The larger and often unaddressed problem is ensuring that advisories reach the people who need to act on them. A CISA advisory received by a corporate IT team and never forwarded to the OT operations team running CNCSoft-G2 provides no protection. Assign a named person responsible for reviewing CISA ICS advisories on a weekly cadence and routing relevant items to the appropriate operational contacts. This is a process control, not a technology control — and it closes the awareness gap that leaves many engineers unaware of vulnerabilities affecting the software they use daily.

The Broader Implication: File Parsing as Persistent Attack Surface

CVE-2026-3094 is a high-severity vulnerability in a specific product. It is also an illustration of a persistent structural problem in industrial software security.

HMI and engineering software applications are built to read complex, structured, vendor-defined file formats. Those files carry machine configurations, device parameters, and programming instructions. They are passed between engineers, vendors, contractors, and integrators as routine artifacts of the industrial workflow. They are not treated as potentially hostile data. They are trusted by default.

That trust is the attack surface.

Out-of-bounds write vulnerabilities in file parsers are not a new class of bug. They are among the oldest and most well-understood memory safety issues in software engineering. The techniques for preventing them — boundary checking before buffer writes, safe parsing libraries, fuzzing-based testing, static analysis — have been available for decades. The fact that CNCSoft-G2's DOPSoft component has continued to produce CWE-787 findings across multiple versions and multiple years suggests that the underlying code either lacks systematic application of those techniques or carries technical debt from earlier development cycles that has not yet been fully addressed.

This is not a theoretical concern in a theoretical threat landscape. Dragos's 2026 OT/ICS Cybersecurity Year in Review documents a newly identified threat group called AZURITE that specifically targets OT engineering workstations for long-term access and data exfiltration — extracting operational data including network diagrams, alarm data, and process information for use in developing downstream attack capabilities. The group targets manufacturing, defense, automotive, electric, oil and gas, and government organizations across the United States, Australia, Europe, and Asia-Pacific, with confirmed technical overlaps with Flax Typhoon. A successfully exploited engineering workstation running CNCSoft-G2 is precisely the kind of host AZURITE seeks.

Critically, Dragos notes that AZURITE rapidly incorporates publicly available proof-of-concept code into active operations — exploiting the lag between PoC publication and organizational patch deployment. CVE-2026-3094 has now been publicly disclosed. The three-month window from vendor notification to public release has closed. If a PoC surfaces for this vulnerability, AZURITE's documented operational pattern suggests it would be weaponized quickly.

VOLTZITE, a separate threat group that Dragos elevated to Stage 2 of the ICS Cyber Kill Chain in 2025, was directly observed manipulating engineering workstation software to extract configuration files and investigate conditions that would trigger process shutdowns — in one confirmed case, by first compromising Sierra Wireless Airlink cellular gateways connected to U.S. midstream pipeline operations, then pivoting from those gateways to engineering workstations. VOLTZITE shares technical overlaps with Volt Typhoon, the group U.S. intelligence has warned is prepositioning for potential disruption of critical infrastructure.

A third group is also newly relevant here. SYLVANITE operates as a specialized initial access provider — rapidly weaponizing vulnerabilities in internet-facing systems and handing established footholds to VOLTZITE for deeper OT intrusions. Dragos directly observed SYLVANITE exploiting Ivanti vulnerabilities and extracting Active Directory credentials at U.S. electric and water utilities, sometimes within 48 hours of vulnerability disclosure. The ecosystem model — one group for initial access, another for OT exploitation — compresses the timeline from breach to operational impact. That division of labor is directly relevant to how organizations should think about CVE-2026-3094's exposure window: the question is not only whether an attacker finds the engineering workstation, but whether a SYLVANITE-type actor has already handed access to something more capable.

The question this raises is not whether attackers are interested in engineering workstations. They demonstrably are. The question is whether the file-delivery threat model is built into the defensive posture of organizations that use CNCSoft-G2 — and whether those organizations understand that the threat now arrives via coordinated ecosystems, not lone actors. The answer to both questions, in many cases, is no.

There is also a structural gap at the vendor level that the recurring CVE pattern surfaces. The security research community has increasingly focused on Software Bills of Materials (SBOMs) — inventories of software components and versions embedded in a product — as a mechanism for supply chain transparency. For ICS software with complex file-parsing engines, an SBOM would reveal which third-party parsing libraries are in use and whether known-vulnerable versions are present. If Delta Electronics' DOPSoft component uses third-party or legacy parsing code rather than purpose-built validated parsers, an SBOM would make that dependency visible to customers and regulators. The ICS sector is behind the enterprise IT sector on SBOM adoption, and CVE-2026-3094's context illustrates exactly why that matters.

The ransomware dimension adds another layer. Dragos's 2026 report found that ransomware groups targeting industrial organizations surged 49 percent year-over-year, hitting 3,300 organizations globally — with manufacturing accounting for more than two-thirds of victims. Many of those incidents are misclassified as "IT incidents" when Windows servers hosting SCADA software or engineering workstations are compromised. A CNCSoft-G2 workstation that has been exploited via CVE-2026-3094 and then handed off to a ransomware group creates exactly that scenario: an OT-adjacent compromise labeled an IT incident, with production consequences that may not be recognized until physical operations are affected. The point is not that CVE-2026-3094 will necessarily be used by ransomware actors — it is that the workstation running CNCSoft-G2 already sits in that targeting zone.

The newest dimension from the 2026 Dragos report is worth naming explicitly: adversaries are no longer content with access. They are actively mapping control loops — understanding how industrial processes work, where commands originate, how they propagate, and where physical effects can be induced. An engineering workstation like the one running CNCSoft-G2 is a map of that process. The DPAX files it holds define machine behavior. A threat actor who exploits CVE-2026-3094 and then spends six months reading project files, alarm configurations, and device parameter sets is not simply compromising software. They are learning the physical system. That is the threat model that CVE-2026-3094 sits inside — not a software flaw in isolation, but a door into a building whose floor plan describes physical industrial operations.

For the industrial security community, this pattern is a signal. The file-parsing attack surface in HMI and engineering workstation software is not theoretical. It has been repeatedly confirmed as exploitable by coordinated researchers working through established disclosure programs. Organizations that treat ICS security as primarily a network segmentation problem are not looking at the whole picture. The threat enters through project files. The defense requires controlling files with the same rigor applied to network traffic.

Conclusion

CVE-2026-3094 is, on its own terms, a manageable vulnerability. A patch is available. The disclosure was coordinated. No exploitation in the wild has been confirmed. An organization that patches promptly, controls its file intake surface, and applies defense-in-depth to engineering workstations can close this specific exposure.

But CVE-2026-3094 read in context — as the latest in a multi-year series of memory corruption findings in the same component of the same product, disclosed through the same researcher and the same coordinated channel, affecting critical manufacturing infrastructure deployed worldwide — is a more significant signal. It points to a software security debt that patching alone does not retire, an attack surface that the industrial sector has not fully recalibrated its defenses to address, and a file-delivery threat model that sits outside the perimeter-focused mental model that still governs much of OT security.

The adversary context makes this more urgent, not less. AZURITE, documented by Dragos in 2026, rapidly incorporates public proof-of-concept code into active operations. CVE-2026-3094 is now public. SYLVANITE specializes in establishing access on internet-facing systems and handing it to VOLTZITE — a group that has documented interest in reading the exact kind of configuration files that CNCSoft-G2 manages. These are not speculative connections. They are documented operational patterns in the same environment where this vulnerability exists.

There is also the legacy question. Delta has confirmed it will not patch the A-series CNCSoft product line at all — permanently unpatched file-parsing vulnerabilities on systems that may still be active in production environments. That is not an indictment of Delta; it is the ordinary end of a product lifecycle in any software industry. But in industrial environments, lifecycle management rarely keeps pace with vendor support windows. Organizations must actively inventory what they are running, at what version, and against what disclosed vulnerabilities — not assume their systems are current because they haven't changed recently.

For cybersecurity professionals, educators, and practitioners working in or adjacent to industrial environments: the lesson of CVE-2026-3094 is not just to patch. It is to understand why the same class of vulnerability keeps reappearing in the same place, to build security programs that address the root rather than just the most recent symptom, and to recognize that the engineers who open project files every day as a routine act of their job are the undefended edge of the ICS security perimeter — and that some of the threat actors now targeting that edge are actively mapping the physical systems those files describe.

Sources and Verified References

  • CISA Advisory ICSA-26-064-01 Delta Electronics CNCSoft-G2 — Published March 5, 2026
    cisa.gov/news-events/ics-advisories/icsa-26-064-01
  • Delta Electronics Vendor Advisory Delta-PCSA-2026-00004 Delta Electronics CNCSoft-G2 File Parsing Out-Of-Bounds Write
    filecenter.deltaww.com — Delta-PCSA-2026-00004
  • CVE-2026-3094 — THREATINT / MITRE Reserved: February 24, 2026 | Published: March 4, 2026 | Assigner: Deltaww
    cve.threatint.eu/CVE/CVE-2026-3094
  • CISA Advisory ICSA-24-191-01 (Update A) Delta Electronics CNCSoft-G2 — Covers CVE-2024-39880 through CVE-2024-39883, CVE-2024-12858, CVE-2025-22880. CVE-2025-22880 reported by Bobby Gould, Fritz Sands, and Natnael Samson working with ZDI.
    cisa.gov/news-events/ics-advisories/icsa-24-191-01
  • CISA Advisory ICSA-24-121-01 (Update A) Delta Electronics CNCSoft-G2 DOPSoft — Covers CVE-2024-4192, CVE-2025-58319
    cisa.gov/news-events/ics-advisories/icsa-24-121-01
  • CISA Advisory ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft — Covers CVE-2023-4685, CVE-2023-25177 | Researcher: Natnael Samson (@NattiSamson), TrendAI Zero Day Initiative (ZDI)
    cisa.gov/news-events/ics-advisories/icsa-23-157-01
  • CISA Advisory ICSA-24-060-01 Delta Electronics CNCSoft-B — CVE-2024-1941 | Researcher: Natnael Samson (@NattiSamson), TrendAI Zero Day Initiative (ZDI)
    cisa.gov/news-events/ics-advisories/icsa-24-060-01
  • CISA Advisory ICSA-25-175-02 Delta Electronics CNCSoft — Covers CVE-2025-47724 through CVE-2025-47727 | Researcher: Natnael Samson, TrendAI Zero Day Initiative (ZDI)
    cisa.gov/news-events/ics-advisories/icsa-25-175-02
  • CISA Advisory ICSA-18-219-01 Delta Electronics CNCSoft and ScreenEditor — Researcher: Natnael Samson (Natti), TrendAI Zero Day Initiative (ZDI)
    cisa.gov/news-events/ics-advisories/icsa-18-219-01
  • SOCRadar — CISA ICS Advisories Recap for 2024–2025 CNCSoft-G2 identified as one of five most-cited products in ICS advisories (2024–2025)
    socradar.io/blog/cisa-industrial-control-systems-ics-advisories-2025/
  • OffSeq / Threat Radar — CVE-2026-3094 Analysis CWE-787 Out-of-Bounds Write in deltaww CNCSoft-G2. Note: this entry was captured prior to the patch release and incorrectly states no patch is available; the Delta V2.1.0.39 patch has since been confirmed by CISA and the vendor.
    radar.offseq.com — CVE-2026-3094
  • ZDI-26-151 — TrendAI Zero Day Initiative (ZDI) Delta Electronics CNCSoft-G2 DPAX File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. Researcher: Natnael Samson (@NattiSamson). Vendor notified: December 11, 2025. Coordinated public release: March 6, 2026. ZDI is operated by Trend Micro under the TrendAI brand.
    zerodayinitiative.com/advisories/ZDI-26-151
  • Dragos 2026 OT/ICS Cybersecurity Report and Year in Review Documents AZURITE and VOLTZITE threat groups targeting engineering workstations; AZURITE (overlaps with Flax Typhoon) targets manufacturing, defense, automotive, electric, oil and gas, and government organizations across the U.S., Australia, Europe, and Asia-Pacific; VOLTZITE elevated to ICS Kill Chain Stage 2 after pivoting from Sierra Wireless Airlink gateways to engineering workstations; SYLVANITE identified as a new initial access provider handing footholds to VOLTZITE; ransomware groups with OT reach surged 49% year-over-year impacting 3,300 industrial organizations, with manufacturing accounting for more than two-thirds of victims; 25% of ICS-CERT CVSS scores found incorrect in 2025; 26 OT threat groups now tracked globally.
    dragos.com/ot-cybersecurity-year-in-review
All facts in this article are drawn from primary sources including CISA ICS advisories, the Delta Electronics vendor advisory, the TrendAI Zero Day Initiative advisory ZDI-26-151, the MITRE CVE database, and the Dragos 2026 OT/ICS Cybersecurity Report. All CVSS scores and vector strings are reproduced exactly as published in the official advisories. No active exploitation of CVE-2026-3094 has been confirmed as of the publication date of this article (March 2026).
Back to all articles