CVE-2026-5726: Stack-Based Buffer Overflow in Delta Electronics ASDA-Soft Enables Remote Code Execution
A critical stack-based buffer overflow vulnerability in Delta Electronics ASDA-Soft (CVE-2026-5726) allows remote code execution via malicious PAR files, with a CVSS score of 7.8 and a fix now available.
Delta Electronics has released a security update to address CVE-2026-5726, a stack-based buffer overflow vulnerability in its ASDA-Soft industrial automation software. The flaw, disclosed by the Zero Day Initiative (ZDI-26-296) on April 23, 2026, carries a CVSS score of 7.8 and affects all versions of ASDA-Soft. Successful exploitation could allow an attacker to execute arbitrary code in the context of the current process, posing a significant risk to industrial environments.
The vulnerability resides in the parsing of PAR files within ASDA-Soft. The specific issue stems from the lack of proper validation of user-supplied data length before copying it to a stack-based buffer. An attacker can trigger the overflow by convincing a user to open a malicious PAR file or visit a specially crafted web page. This user interaction requirement is the only barrier to exploitation, making social engineering a key vector.
ASDA-Soft is widely used in industrial control systems for configuring and managing Delta Electronics' servo drives and motion controllers. A compromise of this software could allow attackers to manipulate industrial processes, disrupt production, or pivot to other systems within an operational technology (OT) network. The vulnerability's CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) highlights the potential for complete compromise of confidentiality, integrity, and availability.
Delta Electronics has issued a fix for CVE-2026-5726, as detailed in CISA advisory ICSA-26-106-01. Users are strongly urged to apply the update immediately. In the interim, organizations should restrict access to ASDA-Soft systems, enforce strict file handling policies, and educate users about the risks of opening unsolicited PAR files or visiting untrusted websites.
The vulnerability was responsibly disclosed to Delta Electronics on February 6, 2026, by researcher Feng Xiong, who is credited with the discovery. The coordinated public release of the advisory occurred on April 23, 2026, following the vendor's development of a patch. This timeline reflects a standard coordinated disclosure process.
This disclosure adds to a growing list of vulnerabilities in industrial control system (ICS) software, underscoring the critical need for robust security practices in OT environments. As attackers increasingly target industrial infrastructure, timely patching and user awareness remain essential defenses against exploitation.