Critical Vulnerabilities in Delta Electronics DVP12SE PLC Expose Industrial Control Systems to Unauthenticated Remote Attacks
CISA has issued a critical alert for Delta Electronics DVP12SE PLCs, detailing two high-severity vulnerabilities that allow unauthenticated remote command execution and denial-of-service attacks.
CISA has issued a critical alert regarding two severe vulnerabilities affecting Delta Electronics DVP12SE Programmable Logic Controllers (PLCs). These flaws, identified as CVE-2026-12819 and CVE-2026-12818, could allow unauthenticated attackers to remotely execute commands, modify operational values, interfere with control logic, and alter device behavior, posing a significant risk to industrial control systems.
The primary vulnerability, CVE-2026-12819, stems from the Modbus TCP service on the DVP12SE PLC lacking proper authentication and access control. This allows any attacker on a reachable network to interact with critical PLC functions without needing credentials, privilege validation, or operator approval. The exploit enables unauthorized read and write access to sensitive data such as coils, holding registers, operational memory, relay states, and process control functions, directly impacting the device's intended operation.
Compounding the risk, CVE-2026-12818 is a denial-of-service vulnerability caused by issues in resource allocation within the same Modbus TCP service. An attacker can exploit this by flooding the Modbus port (TCP/502) with a continuous stream of network packets, including specially crafted or malformed ones. Successful exploitation could render the PLC unresponsive, disrupting critical industrial processes and potentially leading to significant operational downtime.
Both vulnerabilities have been assigned a CVSS v3.1 base score of 9.8, categorizing them as CRITICAL. The CVSS v4.0 score is also a critical 9.3. These high scores reflect the potential for remote, unauthenticated exploitation with severe impacts on confidentiality, integrity, and availability. The affected product is the Delta Electronics DVP12SE PLC, with all versions currently known to be affected.
Delta Electronics has acknowledged the vulnerabilities and is actively working on a fix. In the interim, the company recommends several mitigation strategies. Users are advised to enable the PLC's built-in IP Filter feature to restrict access to only trusted IP addresses. Additionally, enabling password protection for the PLC within the programming software is recommended to prevent unauthorized modification of control logic and parameters.
Further recommended security practices include implementing robust network segmentation and firewall protection. PLCs should be deployed within an isolated Operational Technology (OT) control network, never directly connected to business networks or the internet. If remote access is necessary, it must be secured through a Virtual Private Network (VPN) tunnel, ensuring the VPN itself is up-to-date and secure.
CISA emphasizes that organizations should minimize network exposure for all control system devices, ensuring they are not accessible from the internet. Isolating control system networks behind firewalls is a crucial defense. While Delta Electronics works on a permanent solution, these workarounds are essential for protecting critical infrastructure from potential attacks that could disrupt manufacturing processes and other vital operations.
These vulnerabilities highlight the persistent risks within the Industrial Internet of Things (IIoT) and the importance of securing legacy systems. The lack of authentication in widely used industrial protocols like Modbus TCP continues to be a significant attack vector, underscoring the need for vendors to prioritize security in design and for operators to implement strong network security practices.