Delta Electronics’ ISPSoft programming software, widely used in industrial automation systems, contains multiple critical vulnerabilities that could allow attackers to execute arbitrary code on affected systems. The vulnerabilities, tracked as CVE-2025-22882 through CVE-2025-22884, affect versions 3.19 and prior of the software, with the vendor recommending immediate updates to version 3.21 or later1.
Executive Summary
The vulnerabilities in ISPSoft pose significant risks to industrial control systems, particularly in critical manufacturing sectors. Three distinct vulnerabilities have been identified: two stack-based buffer overflows (CWE-121) and one out-of-bounds write (CWE-787). These vulnerabilities share common characteristics, including high CVSS scores (7.8 in v3 and 8.4 in v4) and the ability to lead to arbitrary code execution when parsing specific file types2.
The affected software, ISPSoft, is Delta Electronics’ PLC programming software compliant with IEC 61131-3 standards, used globally in industrial automation systems3. The vulnerabilities were reported to CISA by the Zero Day Initiative, with no known public exploits currently available4.
Technical Details of the Vulnerabilities
The first vulnerability, CVE-2025-22882, is a stack-based buffer overflow that occurs when parsing CBDGL files. Attackers could leverage debugging logic to execute arbitrary code on systems running vulnerable versions of ISPSoft. The second vulnerability, CVE-2025-22883, involves an out-of-bounds write condition when processing DVP files, while CVE-2025-22884 is another stack-based buffer overflow affecting DVP file parsing5.
All three vulnerabilities require local access to the target system and user interaction to exploit, as they are triggered through file parsing operations. The CVSS v4 scores of 8.4 reflect the high potential impact of successful exploitation, which could lead to complete system compromise in industrial environments6.
Affected Products and Deployment
The vulnerabilities impact ISPSoft versions 3.19 and earlier, with Delta Electronics confirming that version 3.21 contains the necessary fixes. The software is deployed worldwide, particularly in critical manufacturing sectors, with Delta Electronics headquartered in Taiwan7.
Industrial control systems using vulnerable versions of ISPSoft should be considered at risk, especially those connected to business networks or with internet accessibility. The nature of these vulnerabilities makes them particularly concerning for systems where PLC programming files are frequently exchanged between engineering workstations8.
Mitigation Strategies
Delta Electronics recommends immediate updating to ISPSoft version 3.21 or later, available through their official download center9. CISA has provided additional defensive measures to minimize risk:
- Isolate control system networks behind firewalls
- Restrict internet access to ICS devices
- Use secure remote access methods like VPNs when necessary
- Implement proper network segmentation
CISA also recommends reviewing their ICS security recommended practices, including defense-in-depth strategies and targeted intrusion detection methods10. Organizations should conduct thorough risk assessments before implementing any mitigation measures to ensure they don’t disrupt critical operations.
Conclusion
The discovery of these vulnerabilities in Delta Electronics’ ISPSoft highlights the ongoing security challenges in industrial control systems. While the vulnerabilities require local access to exploit, their potential impact on critical manufacturing systems warrants immediate attention. Organizations using affected versions should prioritize updating to the patched version and review their ICS security posture to prevent potential exploitation attempts.
As industrial systems increasingly become targets for sophisticated attacks, maintaining vigilance through prompt patching, network segmentation, and continuous monitoring remains essential for protecting critical infrastructure from potential compromise.
References
- “Delta-PCSA-2025-00004: ISPSoft – Multiple Vulnerabilities,” Delta Electronics, 2025. [Online]. Available: https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00004_ISPSoft%20-%20Multiple%20Vulnerabilities_v1.pdf
- “CVE-2025-22882 Detail,” NVD, 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-22882
- “ISPSoft Programming Software,” Delta Electronics. [Online]. Available: https://www.deltaww.com/en-us/products/PLC-Programmable-Logic-Controllers/3598
- “ICSA-25-119-02: Delta Electronics ISPSoft Vulnerabilities,” CISA, 2025. [Online]. Available: https://www.cisa.gov/news-events/ics-advisories/icsa-25-119-02
- “CVE-2025-22883 Detail,” NVD, 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-22883
- “CVE-2025-22884 Analysis,” SecAlerts, 2025. [Online]. Available: https://secalerts.co/vulnerability/CVE-2025-22884
- “Delta Electronics ISPSoft Download Center,” Delta Electronics. [Online]. Available: https://downloadcenter.deltaww.com/
- “ICS Recommended Practices,” CISA. [Online]. Available: https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- “ICS-TIP-12-146-01B: Targeted Cyber Intrusion Detection and Mitigation Strategies,” CISA. [Online]. Available: https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
- “Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies,” CISA. [Online]. Available: https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
